Primary

Context

Kirby User Avatar Permission Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in Kirby, an open-source content management system, prior to versions 4.9.0 and 5.4.0, allowing authenticated users to create, replace, or delete user avatars without the necessary permissions. This issue arises because avatar management is not properly restricted by user update permissions. The vulnerability can be exploited by users whose roles lack the 'user.update' or 'users.update' permissions, and it can lead to unauthorized changes in user profiles.

Impact

Exploiting this vulnerability allows for unauthorized modifications of user avatars, which are considered part of the user profile information.

Remediation

Users can upgrade to Kirby versions 4.9.0 or 5.4.0, both of which include the necessary permission checks for avatar management. Instructions for downloading these versions are available on the Kirby GitHub releases page.

Added: May 9, 2026, 4:22 AM

Updated: May 9, 2026, 4:22 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.4

remediation

7.7

relevance

7.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.4

remediation

7.7

relevance

7.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kirby User Avatar Permission Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

getkirby/kirby

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating