CVE-2026-49274
Received Received - Intake

Information Disclosure in Kirby CMS

Vulnerability report for CVE-2026-49274, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue is fixed in versions 4.9.4 and 5.4.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
getkirby kirby 4.9.4
getkirby kirby 5.4.4
getkirby kirby to 4.9.4|end_including=5.4.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49274 is a moderate severity vulnerability in the Kirby CMS affecting versions prior to 4.9.4 and 5.4.4. It occurs when sites use the pages field with roles that have the pages.access permission disabled. Authenticated users with such roles can exploit this flaw to confirm the existence of arbitrary pages and retrieve their title field values by providing an inaccessible parent page or site to the page picker backend.

The vulnerability arises because the backend did not properly check if the requested parent page or site was accessible to the user, allowing unauthorized information disclosure. This issue does not allow write actions and requires authentication to exploit. The fix implemented in versions 4.9.4 and 5.4.4 ensures the pages picker consistently verifies the pages.access permission before returning data.

Impact Analysis

This vulnerability can impact you by allowing authenticated users without proper permissions to confirm the existence of arbitrary pages on your Kirby CMS site and retrieve their title field values. This leads to unauthorized information disclosure, potentially exposing sensitive or confidential page titles.

However, the vulnerability does not allow modification or deletion of content, and it cannot be exploited without authentication. The overall impact is limited to information disclosure with a moderate severity rating (CVSS score 5.3).

Detection Guidance

This vulnerability involves authenticated users being able to confirm the existence of arbitrary pages and retrieve their title fields through the pages picker backend when the pages.access permission is disabled. Detection would require verifying if unauthorized page existence confirmation or title retrieval is possible via the pages picker.

Since the issue requires authentication and involves interaction with the pages picker backend, detection could involve monitoring or testing authenticated requests to the pages picker API or interface to see if inaccessible pages can be queried.

No specific commands or network detection signatures are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade Kirby CMS to version 4.9.4 or 5.4.4 or later, where the vulnerability has been fixed by adding proper authorization checks in the pages picker backend.

If upgrading is not immediately possible, users should restrict authenticated user roles that have access to the pages field or disable the pages picker functionality to limit exposure.

Review and tighten permissions related to pages.access to ensure that unauthorized users cannot exploit this flaw.

Compliance Impact

The vulnerability allows authenticated users without proper permissions to confirm the existence of arbitrary pages and retrieve their title fields, potentially exposing sensitive information.

This unauthorized disclosure of information could impact compliance with data protection regulations such as GDPR and HIPAA, which require protection of sensitive data and strict access controls.

However, the vulnerability does not allow write actions and requires authentication, which somewhat limits the risk.

The issue has been fixed in Kirby versions 4.9.4 and 5.4.4 by adding proper authorization checks to prevent unauthorized access to page information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart