CVE-2026-54003
Received Received - Intake

Kirby CMS Panel Installation via Proxy Headers

Vulnerability report for CVE-2026-54003, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting the Forwarded, X-Client-IP, or X-Real-IP request header could allow remote attackers to install the Panel and create the first admin user because local-IP checks trusted those headers incorrectly. This issue is fixed in versions 4.9.4 and 5.4.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
getkirby kirby 4.9.4
getkirby kirby 5.4.4
getkirby kirby to 4.9.4 (exc)
getkirby kirby From 5.4.4 (inc) to 5.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-454 The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54003 is a critical vulnerability in the Kirby content management system that affects versions prior to 4.9.4 and from 5.0.0 up to 5.4.3. The issue arises when Kirby sites have no configured user accounts and run on publicly accessible servers behind a reverse proxy that sets certain HTTP headers such as Forwarded, X-Client-IP, or X-Real-IP.

The vulnerability occurs because Kirby's method for detecting whether a request is local (the isLocal check) incorrectly trusts these headers, leading to improper IP address detection. Specifically, the code incorrectly reads the 'for=' field from the Forwarded header, causing it to treat remote requests as local. This allows remote attackers to bypass local-only restrictions and remotely install the Kirby Panel and create the first admin user account.

The root cause was a bug in the Http/Environment class where the detectForwarded() method extracted the client IP incorrectly from the Forwarded header. The fix involved correctly parsing the 'for=' value from the header and adding checks for additional headers (X-Client-IP and X-Real-IP) to improve local request detection.

Impact Analysis

This vulnerability can have severe impacts if your Kirby site is affected and exposed to the internet without any configured user accounts. An attacker can exploit the flaw to remotely install the Kirby Panel and create the first administrative user account, effectively gaining full control over the site.

Such unauthorized access compromises the confidentiality and integrity of your site, allowing attackers to modify content, access sensitive data, or perform administrative actions.

The vulnerability is critical with a CVSS score of 9.1, indicating high severity and potential for significant damage.

Sites that already have an admin account, have disabled the Panel/API, or use different proxy headers (like X-Forwarded-For or Client-IP) are not affected.

Detection Guidance

This vulnerability involves incorrect detection of client IP addresses from the Forwarded, X-Client-IP, or X-Real-IP headers in Kirby CMS when behind a reverse proxy. To detect if your system is vulnerable, you can check if your Kirby CMS version is below 4.9.4 or between 5.0.0 and 5.4.3, and if your server is using these headers for client IP detection.

To detect exploitation attempts or presence of the vulnerability on your network, you can monitor HTTP requests for suspicious usage of the Forwarded, X-Client-IP, or X-Real-IP headers that might be used to spoof local IP addresses.

Suggested commands to inspect HTTP headers in network traffic or logs include:

  • Using tcpdump or tshark to capture HTTP traffic and filter for suspicious headers, e.g.: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -iE 'Forwarded|X-Client-IP|X-Real-IP'
  • Using curl to manually test your server response with spoofed headers, e.g.: curl -H 'Forwarded: for=127.0.0.1' -H 'X-Client-IP: 127.0.0.1' -H 'X-Real-IP: 127.0.0.1' https://your-kirby-site.com/panel
  • Checking your web server or application logs for requests containing these headers with local IP values from external sources.

Additionally, reviewing the Kirby CMS source code or environment detection logic (specifically the detectForwarded() and isLocal() methods) can help confirm if your version is affected by the incorrect header parsing.

Mitigation Strategies

The primary mitigation step is to upgrade Kirby CMS to version 4.9.4 or 5.4.4 or later, where the vulnerability has been fixed.

If immediate upgrade is not possible, consider the following workarounds:

  • Manually create an admin user account on the Kirby site to prevent attackers from creating the first admin user remotely.
  • Disable the Kirby Panel and REST API temporarily to block remote initialization attempts.
  • Configure your reverse proxy to avoid using the vulnerable headers (Forwarded, X-Client-IP, X-Real-IP) for client IP detection, or replace them with safer headers like X-Forwarded-For or Client-IP.

Additionally, review and harden your reverse proxy and firewall rules to restrict access to the Kirby Panel and administrative endpoints only to trusted IP addresses.

Compliance Impact

The vulnerability in Kirby CMS allows remote attackers to install the Panel and create the first admin user on publicly accessible servers behind certain reverse proxy configurations. This unauthorized creation of an admin account could lead to unauthorized access and control over the system.

Such unauthorized access can compromise the confidentiality and integrity of data managed by the CMS, potentially leading to data breaches or unauthorized data manipulation.

Consequently, this vulnerability could negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Organizations using affected versions of Kirby CMS should apply the patches or implement recommended workarounds to mitigate the risk and maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54003. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart