CVE-2026-45334
Received Received - Intake

Information Disclosure in Kirby CMS

Vulnerability report for CVE-2026-45334, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the content-locking feature returned lock information without checking the requesting user's access permissions. Kirby's Panel includes a content-locking feature that records which user currently has a model open for editing. This lock prevents conflicting edits by multiple users and displays the locking user's identity in the Panel UI so other users know who to contact. Internally, the locking user's email address and identifier are included in every Panel view payload and in error responses returned when a user attempts to edit a model that is currently locked by another user. This allowed a low-privilege authenticated Panel user, whose role was configured with users.access: false or users.list: false, to learn the email address and identifier of any user who currently had a model open for editing in the Panel, including administrators and other higher-privilege users. Content locks are active for a configurable window (10 minutes by default). The email address can allow admin account enumeration, target phishing, and feed credential-stuffing attacks against the Kirby installation or other sites. The internal user ID can be cross-referenced with other endpoints once the requester has obtained a higher privilege through unrelated means. This issue has been fixed in versions 4.9.1 and 5.4.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kirby kirby to 5.4.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Kirby CMS versions before 4.9.1 and 5.4.1 had a flaw in the content-locking feature. When a user opened a file for editing, the system exposed the locking user's email and ID in every Panel view and error responses without checking if the requesting user had permission to see this information. This allowed low-privilege users to discover details about higher-privilege users who had files open.

Detection Guidance

To detect this vulnerability, monitor Panel view payloads and error responses for exposed user email addresses and identifiers. Check if low-privilege users can access lock information for higher-privilege users. Verify if the content-locking feature reveals sensitive user details without proper access checks.

Impact Analysis

An attacker with low privileges could enumerate admin accounts, enabling targeted phishing attacks or credential stuffing against the Kirby site or other services. The exposed email addresses could also be used in broader attacks against other platforms if users reuse credentials.

Mitigation Strategies

Upgrade Kirby to version 4.9.1 or 5.4.1 or later to patch the vulnerability. Review user roles to ensure proper access controls are enforced. Monitor for unauthorized access attempts to the content-locking feature.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45334. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart