Primary

Context

Kirby CMS User Creation API Permission Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in Kirby CMS versions through 4.8.0 and 5.0.0-5.3.3, allowing authenticated users to bypass permission checks when creating pages, files, or users. This issue arises from the ability to inject custom dynamic blueprint options that override the default permissions set by the site developer. The vulnerability can be exploited by users whose roles do not have the 'create' permission for pages, files, or users, effectively allowing unauthorized actions and privilege escalation.

Impact

Exploitation of this vulnerability could lead to unauthorized creation of pages, files, or users, bypassing the intended permission controls and causing a privilege escalation.

Remediation

Users can upgrade to Kirby 4.9.0 or 5.4.0, both of which include the necessary patch. Instructions for downloading these versions are available on the Kirby GitHub releases page.

Added: Apr 24, 2026, 1:20 AM

Updated: Apr 24, 2026, 1:20 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.4

remediation

7.7

relevance

6.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.4

remediation

7.7

relevance

6.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kirby CMS User Creation API Permission Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

getkirby/kirby

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating