CVE-2026-42174
Improper Access Control in Kirby CMS
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getkirby | kirby | to 4.9.0|end_excluding=5.4.0 (exc) |
| getkirby | kirby | From 4.8.0|end_excluding=5.0.0 (inc) |
| getkirby | kirby | From 5.0.0|end_excluding=5.3.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42174 is a vulnerability in the Kirby content management system affecting versions 4.8.0 and below, as well as 5.0.0 to 5.3.3. The issue allows authenticated users to create, replace, or delete user avatars without proper authorization checks.
Normally, Kirby enforces user.update or users.update permissions to control user profile modifications, but avatars were only subject to file permissions (files.create, files.replace, files.delete). This oversight enabled users with only file permissions to manipulate avatars, bypassing intended user update restrictions.
The vulnerability is classified under CWE-862 (Missing Authorization), meaning the system fails to verify proper permissions before allowing sensitive actions. It has been patched in Kirby versions 4.9.0 and 5.4.0 by adding additional permission checks for user.update/users.update during avatar operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Kirby CMS allows authenticated users to create, replace, or delete user avatars without proper authorization checks, bypassing intended user update permissions. This missing authorization (CWE-862) could lead to unauthorized modification of user profile data.
Such unauthorized access and modification of user-related data may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over personal data access and modification to protect user privacy and data integrity.
By allowing unauthorized avatar changes, the system could be seen as failing to enforce adequate access controls, potentially leading to non-compliance with these regulations until the issue is patched in versions 4.9.0 and 5.4.0.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with only file permissions to create, replace, or delete user avatars without having the proper user update permissions. This could lead to unauthorized modification of user profile avatars.
Such unauthorized changes could be used to impersonate other users, cause confusion, or disrupt user identity representation within the system.
The vulnerability requires low privileges and no user interaction for exploitation, making it easier for attackers with limited access to abuse this flaw.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper authorization checks on user avatar creation, replacement, and deletion in Kirby CMS versions prior to 4.9.0 and 5.4.0. Detection would involve verifying if your Kirby installation is running a vulnerable version and checking if unauthorized avatar modifications have occurred.
Since the vulnerability allows users with only file permissions to manipulate avatars without proper user update permissions, you can audit user permissions and avatar file changes.
- Check the Kirby CMS version installed to confirm if it is below 4.9.0 or between 5.0.0 and 5.3.3.
- Review user permissions related to file operations (files.create, files.replace, files.delete) and user update permissions (user.update, users.update).
- Audit logs or file system timestamps for unexpected avatar file changes.
Specific commands depend on your environment, but examples include:
- On the server, use commands like `grep` or `find` to locate recent changes to avatar files, e.g., `find /path/to/kirby/content/users/ -type f -name 'avatar.*' -mtime -7` to find avatar files modified in the last 7 days.
- Check Kirby version via command line or by inspecting the version file, e.g., `cat /path/to/kirby/version` or using any CLI tools provided by Kirby.
- Review user permission settings in the Kirby CMS panel or configuration files to identify if users have only file permissions without user update permissions.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Kirby CMS to a patched version where this vulnerability is fixed.
- Upgrade Kirby CMS to version 4.9.0 or later, or 5.4.0 or later, where additional permission checks for user.update/users.update during avatar operations have been implemented.
- Review and tighten user permissions to ensure that only authorized users have file permissions related to avatar files.
- Monitor avatar file changes and audit user activities to detect any unauthorized modifications.
If immediate upgrade is not possible, consider restricting file permissions temporarily to prevent unauthorized avatar modifications.