CVE-2026-21896 Overview
CVE-2026-21896 is an authorization bypass vulnerability affecting Kirby, an open-source content management system. The vulnerability stems from missing permission checks in the content changes API, allowing authenticated users with restricted permissions to bypass configured access controls and perform unauthorized write actions on site content.
This security flaw impacts Kirby versions 5.0.0 through 5.2.1 and specifically affects deployments where administrators have configured custom user permissions to prevent certain roles from performing write operations. The vulnerability is classified as CWE-863 (Incorrect Authorization).
Critical Impact
Authenticated users with restricted roles can bypass permission controls to modify, publish, or discard content versions despite being explicitly denied write access.
Affected Products
- Kirby CMS versions 5.0.0 to 5.2.1
Discovery Timeline
- 2026-01-08 - CVE-2026-21896 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-21896
Vulnerability Analysis
The vulnerability exists within Kirby's content changes API controller, which fails to properly validate user permissions before executing write operations. When administrators configure role-based access controls to prevent specific user roles from modifying content (by disabling the update permission), the API endpoints do not enforce these restrictions, allowing bypasses.
The root issue lies in the Changes controller component located at src/Api/Controller/Changes.php. Prior to the patch, this controller accepted requests for version operations (save, publish, discard) without verifying whether the authenticated user possessed the necessary permissions for the target content item. This represents a classic broken access control pattern where server-side authorization checks are incomplete.
Root Cause
The root cause is CWE-863 (Incorrect Authorization) - the application fails to perform adequate permission validation in the content changes API controller. The authorization logic that should verify user permissions against configured role restrictions was absent from the version management endpoints, creating a gap between the intended permission model and actual enforcement.
Attack Vector
An attacker with a valid low-privileged account can exploit this vulnerability over the network by:
- Authenticating to the Kirby CMS Panel with a restricted account
- Identifying version management API endpoints for content changes
- Sending direct API requests to modify, publish, or discard content versions
- Bypassing the permission restrictions configured by administrators
The attack requires network access, valid credentials for any role, and some user interaction to reach the vulnerable endpoints through the Panel interface.
The security patch adds explicit permission exception handling to the Changes controller:
use Kirby\Cms\Language;
use Kirby\Cms\ModelWithContent;
use Kirby\Content\Lock;
+use Kirby\Exception\PermissionException;
use Kirby\Filesystem\F;
use Kirby\Form\Fields;
use Kirby\Form\Form;
Source: GitHub Commit
Additionally, new error messages were added to provide proper feedback when permission checks fail:
"error.version.discard.permission": "You are not allowed to discard this version",
"error.version.publish.permission": "You are not allowed to publish this version",
"error.version.save.permission": "You are not allowed to change this version",
Source: GitHub Commit
Detection Methods for CVE-2026-21896
Indicators of Compromise
- Unexpected content modifications attributed to users with restricted roles
- Audit log entries showing version publish/discard/save operations by unauthorized users
- Content changes that bypass established editorial workflows
- API access logs showing requests to /api/changes endpoints from restricted accounts
Detection Strategies
- Monitor Kirby Panel access logs for content modification API requests from users with disabled update permissions
- Review content version history for unauthorized modifications or publications
- Implement alerting on successful write operations by roles configured without update privileges
- Cross-reference user role configurations against actual content modification activity
Monitoring Recommendations
- Enable detailed API request logging for the Kirby Panel
- Audit user role configurations to identify accounts with restricted permissions
- Implement file integrity monitoring on Kirby content directories
- Review application logs for new error messages related to version permissions after patching
How to Mitigate CVE-2026-21896
Immediate Actions Required
- Upgrade Kirby CMS to version 5.2.2 immediately
- Audit content modification logs to identify any unauthorized changes made by restricted users
- Review and verify all role-based permission configurations after upgrading
- Consider temporarily restricting Panel access for non-essential users until patching is complete
Patch Information
The vulnerability has been addressed in Kirby version 5.2.2. The fix implements proper permission checks in the Changes controller, ensuring that version save, publish, and discard operations validate user authorization before execution.
The security patch is available via:
Workarounds
- Restrict Panel access to trusted users only until the patch is applied
- Implement additional network-level access controls (IP whitelisting) for the Kirby Panel
- Disable Panel access for accounts with restricted permissions as a temporary measure
- Monitor content directories with file integrity checking tools for unauthorized modifications
# Update Kirby via Composer
composer update getkirby/cms
# Verify installed version
composer show getkirby/cms | grep versions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
