CVE-2026-44176
Received Received - Intake

Permission Bypass in Kirby CMS Page Drafts

Vulnerability report for CVE-2026-44176, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Kirby is an open-source content management system. Versions prior to 4.9.1 and 5.4.1 do not check the `pages.access` permission during page draft rendering. Permissions are defined for each user role in the user blueprint (site/blueprints/users/...). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/...) using the options feature. The permissions and options together control the authorization of user actions. Kirby provides the pages.access and pages.list permissions (among others). The list permission controls whether affected models appear in lists throughout the Panel and REST API. The access permission has the same effect but also disables direct access to the affected models. This vulnerability affects the path resolver for the main CMS router. The resolver takes an input path from the requested URL and determines which model (page or file) should be rendered. When a path is requested that points to a page draft, the resolver checks that the request either contains a valid preview token or is authenticated by a valid user. In affected releases, Kirby allowed page drafts to be rendered if any valid user was authenticated, even if that user did not have access to the specific page model. Authenticated attackers with knowledge of the full path to an existing page draft could then access the rendered frontend page. This could lead to the disclosure of sensitive information, e.g. ahead of the launch of a new product or post. This issue has been fixed in versions 4.9.1 and 5.4.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
getkirby kirby to 5.4.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Kirby CMS versions before 4.9.1 and 5.4.1 have a flaw where the pages.access permission is not checked during page draft rendering. This allows authenticated users to view draft pages even if they lack specific access permissions. The vulnerability stems from the path resolver not properly validating user permissions for draft pages.

Detection Guidance

To detect this vulnerability, check if your Kirby CMS version is prior to 4.9.1 or 5.4.1. Inspect the user and page blueprints for misconfigured permissions. Verify if authenticated users without proper access can view page drafts via direct URL access.

Impact Analysis

Attackers with knowledge of a draft page's URL could access sensitive information before its intended public release. This could include confidential product details, internal communications, or other unpublished content, potentially causing reputational or financial harm.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR's data protection principles or HIPAA's confidentiality requirements. Organizations using affected Kirby versions may face compliance breaches if draft content containing personal or health data is exposed.

Mitigation Strategies

Upgrade Kirby CMS to version 4.9.1 or 5.4.1 or later. Review and correct user role permissions in site/blueprints/users/... and model blueprints in site/blueprints/pages/... Ensure pages.access permission is properly enforced for drafts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart