CVE-2026-54004
Received Received - Intake

Information Disclosure in Kirby CMS via Draft File Redirects

Vulnerability report for CVE-2026-54004, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites with content.fileRedirects enabled could redirect unauthenticated clean file URL requests for files stored in top-level draft pages to physical media URLs without checking page access permissions or preview tokens, leading to disclosure of draft file contents. This issue is fixed in versions 4.9.4 and 5.4.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
getkirby kirby to 4.9.4 (inc)
getkirby kirby to 5.4.4 (inc)
getkirby kirby to 5.4.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized disclosure of draft file contents stored in top-level draft pages due to missing access permission checks when the content.fileRedirects option is enabled.

Such unauthorized disclosure of sensitive or confidential information could lead to non-compliance with data protection regulations and standards like GDPR or HIPAA, which require strict controls over access to personal or sensitive data.

By exposing draft files without proper authorization, organizations using affected versions of Kirby CMS may risk violating confidentiality and data protection requirements mandated by these regulations.

Executive Summary

CVE-2026-54004 is a vulnerability in the Kirby content management system that affects versions prior to 4.9.4 and 5.4.4. When the content.fileRedirects feature is enabled, unauthorized users can access files stored in top-level draft pages by using clean file URLs without any authentication or permission checks.

This means that draft files, which are supposed to be private and inaccessible until published, could be viewed by anyone who knows the exact file path. The vulnerability arises because the system redirects requests for these draft files to their physical media URLs without verifying access rights or preview tokens.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive or confidential draft content stored in Kirby CMS. For example, files related to upcoming product launches, unpublished posts, or other private materials could be exposed to the public.

Since the vulnerability allows unauthenticated users to access draft files if they know the file path, it can result in information leakage that might harm business confidentiality, intellectual property, or privacy.

The severity is considered moderate with a CVSS score of 6.3, and exploitation requires knowledge of the full file path.

Detection Guidance

This vulnerability can be detected by attempting to access clean file URLs of files stored in top-level draft pages on a Kirby CMS site with the content.fileRedirects option enabled. If unauthorized access to such draft files is possible without authentication or proper authorization, the system is vulnerable.

A practical approach is to try accessing URLs that correspond to draft files, for example, by requesting URLs like /about-us/team.jpg or other known draft file paths directly in a browser or using command-line tools such as curl or wget.

  • curl -I https://example.com/path-to-draft-file.jpg
  • wget --spider https://example.com/path-to-draft-file.jpg

If these requests return the file content or a 200 OK status without requiring authentication, it indicates the vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to upgrade Kirby CMS to version 4.9.4 or 5.4.4 or later, where the vulnerability has been fixed by adding authorization checks for draft file redirects.

If upgrading immediately is not possible, consider disabling the content.fileRedirects option to prevent unauthorized redirection to draft files.

Additionally, review and restrict access permissions to draft pages and files to ensure that unauthenticated users cannot access sensitive draft content.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54004. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart