CVE-2026-42174
Received Received - Intake
Improper Access Control in Kirby CMS

Publication date: 2026-05-09

Last updated on: 2026-05-18

Assigner: GitHub, Inc.

Description
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-18
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42174
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
getkirby kirby to 4.9.0 (exc)
getkirby kirby From 5.0.0 (inc) to 5.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42174 is a vulnerability in the Kirby content management system affecting versions 4.8.0 and below, as well as 5.0.0 to 5.3.3. The issue allows authenticated users to create, replace, or delete user avatars without proper authorization checks.

Normally, Kirby enforces user.update or users.update permissions to control user profile modifications, but avatars were only subject to file permissions (files.create, files.replace, files.delete). This oversight enabled users with only file permissions to manipulate avatars, bypassing intended user update restrictions.

The vulnerability is classified under CWE-862 (Missing Authorization), meaning the system fails to verify proper permissions before allowing sensitive actions. It has been patched in Kirby versions 4.9.0 and 5.4.0 by adding additional permission checks for user.update/users.update during avatar operations.

Impact Analysis

This vulnerability allows authenticated users with only file permissions to create, replace, or delete user avatars without having the proper user update permissions. This could lead to unauthorized modification of user profile avatars.

Such unauthorized changes could be used to impersonate other users, cause confusion, or disrupt user identity representation within the system.

The vulnerability requires low privileges and no user interaction for exploitation, making it easier for attackers with limited access to abuse this flaw.

Detection Guidance

This vulnerability involves improper authorization checks on user avatar creation, replacement, and deletion in Kirby CMS versions prior to 4.9.0 and 5.4.0. Detection would involve verifying if your Kirby installation is running a vulnerable version and checking if unauthorized avatar modifications have occurred.

Since the vulnerability allows users with only file permissions to manipulate avatars without proper user update permissions, you can audit user permissions and avatar file changes.

  • Check the Kirby CMS version installed to confirm if it is below 4.9.0 or between 5.0.0 and 5.3.3.
  • Review user permissions related to file operations (files.create, files.replace, files.delete) and user update permissions (user.update, users.update).
  • Audit logs or file system timestamps for unexpected avatar file changes.

Specific commands depend on your environment, but examples include:

  • On the server, use commands like `grep` or `find` to locate recent changes to avatar files, e.g., `find /path/to/kirby/content/users/ -type f -name 'avatar.*' -mtime -7` to find avatar files modified in the last 7 days.
  • Check Kirby version via command line or by inspecting the version file, e.g., `cat /path/to/kirby/version` or using any CLI tools provided by Kirby.
  • Review user permission settings in the Kirby CMS panel or configuration files to identify if users have only file permissions without user update permissions.
Mitigation Strategies

The primary mitigation step is to upgrade Kirby CMS to a patched version where this vulnerability is fixed.

  • Upgrade Kirby CMS to version 4.9.0 or later, or 5.4.0 or later, where additional permission checks for user.update/users.update during avatar operations have been implemented.
  • Review and tighten user permissions to ensure that only authorized users have file permissions related to avatar files.
  • Monitor avatar file changes and audit user activities to detect any unauthorized modifications.

If immediate upgrade is not possible, consider restricting file permissions temporarily to prevent unauthorized avatar modifications.

Compliance Impact

The vulnerability in Kirby CMS allows authenticated users to create, replace, or delete user avatars without proper authorization checks, bypassing intended user update permissions. This missing authorization (CWE-862) could lead to unauthorized modification of user profile data.

Such unauthorized access and modification of user-related data may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over personal data access and modification to protect user privacy and data integrity.

By allowing unauthorized avatar changes, the system could be seen as failing to enforce adequate access controls, potentially leading to non-compliance with these regulations until the issue is patched in versions 4.9.0 and 5.4.0.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42174. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart