Primary

Context

Kirby Missing Permission Checks in Panel and REST API

Vulnerability

Patched

A vulnerability exists in Kirby, an open-source content management system, prior to versions 4.9.0 and 5.4.0, where `pages.access/list` and `files.access/list` permissions are not consistently enforced in the Panel and REST API. This issue allows authenticated users to access or list pages and files they should not have permission to. The vulnerability can be attributed to missing authorization checks, which could lead to unauthorized access to sensitive information or unauthorized changes to content.

Impact

The vulnerability can result in unauthorized access to non-listable pages and files, allowing affected users to bypass permission restrictions and access or manipulate content they should not be able to.

Remediation

Users are advised to upgrade to Kirby versions 4.9.0 or 5.4.0. Instructions for updating can be found in the Kirby release notes on GitHub.

Added: May 9, 2026, 4:23 AM

Updated: May 9, 2026, 4:23 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.4

remediation

7.7

relevance

7.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.4

remediation

7.7

relevance

7.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kirby Missing Permission Checks in Panel and REST API

Vulnerability

Impact

Remediation

Affected Products

getkirby/kirby

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating