CVE-2026-34587 Overview
CVE-2026-34587 is an authorization bypass vulnerability in Kirby, an open-source content management system. The vulnerability allows authenticated attackers with the pages.create permission to bypass the editorial workflow and immediately create published pages by exploiting a flaw in how the REST API handles page creation permissions.
In affected versions of Kirby, the pages.create and pages.changeStatus permissions were checked independently without proper coordination. While the Kirby Panel enforces that new pages are created as drafts requiring subsequent approval, the REST API permitted overriding the isDraft flag during page creation. This effectively allowed users to bypass the changeStatus permission check, enabling them to publish content directly without going through the intended editorial workflow.
Critical Impact
Authenticated users with limited page creation privileges can bypass editorial workflows and immediately publish unauthorized content, potentially leading to unauthorized content publication, reputation damage, or deployment of malicious content on affected Kirby CMS installations.
Affected Products
- Kirby CMS versions prior to 4.9.0
- Kirby CMS versions prior to 5.4.0
- getkirby kirby
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-34587 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-34587
Vulnerability Analysis
The vulnerability stems from an improper access control implementation in Kirby's permission system. Kirby provides granular user permissions that can be configured through user blueprints located in site/blueprints/users/ and can be further customized per model through the options feature in model blueprints such as site/blueprints/pages/.
The core issue is that the changeStatus permission, which controls whether a user can change a page's publication status, was not enforced during the page creation process via the REST API. When a page is created through the Kirby Panel, it is always created as a draft (isDraft: true), requiring a separate action with pages.changeStatus permission to publish it. However, the REST API allowed callers to specify the isDraft flag directly during creation, completely bypassing this safeguard.
This architectural flaw means that an attacker with only pages.create permission—who should only be able to create draft content for review—could craft REST API requests to create immediately published pages, circumventing the editorial review process entirely.
Root Cause
The root cause is improper enforcement of the changeStatus permission during the page creation flow. The permission checks for pages.create and pages.changeStatus were implemented as independent validations rather than being coordinated to enforce the intended workflow. Additionally, the Options logic had a flaw where it would double-resolve queries in option values coming from OptionsQuery or OptionsApi sources, contributing to the authorization bypass.
Attack Vector
The attack is network-based and requires a low-privileged authenticated user account with the pages.create permission. The attacker exploits the vulnerability by sending a crafted POST request to Kirby's REST API endpoint for page creation, explicitly setting the isDraft parameter to false in the request payload. This bypasses the normal requirement that pages be created as drafts and later published by users with the appropriate changeStatus permission.
The attack requires authentication but no user interaction, making it exploitable by any insider threat or compromised account with minimal page creation privileges. The impact includes potential unauthorized content publication, SEO manipulation, distribution of malicious content, or reputational damage to the organization.
Detection Methods for CVE-2026-34587
Indicators of Compromise
- Unexpected page publications by users who should only have draft creation permissions
- REST API audit logs showing page creation requests with isDraft: false parameter
- Pages appearing in published state without corresponding status change audit entries
- Unusual API activity patterns from low-privileged user accounts
Detection Strategies
- Monitor Kirby CMS access logs for REST API page creation requests containing isDraft parameter manipulation
- Implement audit logging for page status changes and compare against user permission profiles
- Review published content for unauthorized or suspicious material that bypassed editorial review
- Deploy web application firewall (WAF) rules to flag REST API requests attempting to set page status during creation
Monitoring Recommendations
- Enable detailed logging for all REST API endpoints in Kirby CMS
- Configure alerts for page publications by users lacking pages.changeStatus permission
- Implement content review workflows with notifications for unexpected publications
- Regularly audit user permissions against actual content modification patterns
How to Mitigate CVE-2026-34587
Immediate Actions Required
- Upgrade Kirby CMS to version 4.9.0 or 5.4.0 immediately
- Audit recently published pages for unauthorized content created by low-privileged users
- Review user blueprints to ensure permission assignments follow least-privilege principles
- Temporarily restrict REST API access until patches are applied
Patch Information
Getkirby has released patches in Kirby 4.9.0 and Kirby 5.4.0 that address this vulnerability. The fix updates the Options logic to no longer double-resolve queries in option values coming from OptionsQuery or OptionsApi sources. The patched versions now only resolve queries that are directly configured in the blueprints, ensuring proper enforcement of the changeStatus permission during page creation.
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-jcjw-58rv-c452.
Workarounds
- Restrict REST API access to trusted users only until the patch can be applied
- Implement additional API gateway controls to validate page creation requests
- Disable the REST API endpoint for page creation temporarily if not business-critical
- Configure web application firewall rules to block requests containing isDraft parameter manipulation
# Example: Restrict Kirby API access at the web server level (nginx)
location /api/ {
# Allow only specific trusted IP addresses
allow 10.0.0.0/8;
deny all;
# Additional rate limiting
limit_req zone=api_limit burst=5 nodelay;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
