CVE-2026-54005
Received Received - Intake

Unauthorized Page Data Exposure in Kirby CMS

Vulnerability report for CVE-2026-54005, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites where a role has the pages.access permission disabled allowed authenticated users who know or guess page IDs or UUIDs to retrieve page information, including full content and metadata, for arbitrary published pages through the /api/site/find route without authorization to access those pages. This issue is fixed in versions 4.9.4 and 5.4.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
getkirby kirby to 4.9.4 (inc)
getkirby kirby to 5.4.4 (inc)
getkirby kirby From 4.9.3 (inc) to 4.9.4 (exc)
getkirby kirby From 5.0.0 (inc) to 5.4.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Kirby CMS versions prior to 4.9.4 and 5.4.4 have a vulnerability where authenticated users can access page information without proper authorization.

If a user role has the pages.access permission disabled, users who know or guess page IDs or UUIDs can retrieve full content and metadata of arbitrary published pages via the /api/site/find API route.

This happens because the API route does not enforce the pages.access permission, allowing unauthorized access to page data.

The issue was fixed by restricting the API to only return pages marked as listable, ensuring proper authorization checks.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information by allowing authenticated users to access full content and metadata of pages they should not have permission to view.

Although it does not allow modification or write actions, the exposure of confidential or private page data can compromise the security and privacy of the website.

The vulnerability requires only low privileges and no user interaction to exploit, increasing the risk of information leakage.

Detection Guidance

This vulnerability can be detected by attempting to access the /api/site/find route on a Kirby CMS installation with an authenticated user account that has the pages.access permission disabled. If the API returns full content and metadata for arbitrary published pages without proper authorization, the system is vulnerable.

A practical detection method is to use HTTP request tools such as curl or similar to query the API endpoint with known or guessed page IDs or UUIDs and observe if unauthorized page data is returned.

  • curl -u <username>:<password> https://<kirby-site>/api/site/find?id=<page-id>
  • Check if the response includes full page content and metadata for pages that the authenticated user should not have access to.
Mitigation Strategies

The immediate mitigation step is to upgrade Kirby CMS to version 4.9.4 or 5.4.4 or later, where the vulnerability has been fixed by enforcing proper authorization checks on the /api/site/find route.

If upgrading immediately is not possible, restrict access to the /api/site/find API endpoint to trusted users only, or disable the API route temporarily to prevent unauthorized data disclosure.

Review and adjust user roles and permissions to ensure that users without the pages.access permission cannot authenticate or access sensitive API routes.

Compliance Impact

The vulnerability in Kirby CMS allows authenticated users to retrieve full content and metadata of arbitrary published pages without proper authorization. This unauthorized information disclosure could lead to exposure of sensitive or personal data.

Such exposure of sensitive information may negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

By allowing unauthorized access to page content and metadata, the vulnerability increases the risk of data breaches and non-compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54005. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart