CVE-2026-40099 Overview
CVE-2026-40099 is an Authorization Bypass vulnerability in Kirby, an open-source content management system. The vulnerability exists in the way Kirby handles page creation permissions through its REST API. Specifically, the pages.changeStatus permission was not properly enforced during page creation, allowing authenticated users with only pages.create permission to bypass the normal editorial workflow and immediately publish pages by overriding the isDraft flag.
Critical Impact
Authenticated attackers with limited pages.create permission can bypass editorial workflows and immediately publish content without proper authorization, potentially exposing unapproved or malicious content to site visitors.
Affected Products
- Kirby CMS versions prior to 4.9.0
- Kirby CMS versions 5.x prior to 5.4.0
- getkirby kirby
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-40099 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-40099
Vulnerability Analysis
This Authorization Bypass vulnerability (CWE-863: Incorrect Authorization) stems from improper permission checking in Kirby's page creation functionality. Kirby's permission system controls user actions through role-based blueprints defined in site/blueprints/users/... and model-specific options in site/blueprints/pages/.... The system provides distinct permissions including pages.create and pages.changeStatus to manage content creation and publication workflows.
The vulnerability exploits a logical flaw where the changeStatus permission was checked independently and only during explicit page status changes, not during the initial page creation process. While the Kirby Panel correctly enforces the editorial workflow by creating pages as drafts first, the REST API accepts an isDraft parameter override that was not subject to the same authorization checks.
Root Cause
The root cause lies in the incomplete implementation of permission checks during page creation via the REST API. The page creation rules did not validate whether a user had the pages.changeStatus permission before allowing them to set the isDraft flag to false. This created a discrepancy between the Panel interface (which enforced the workflow) and the API (which did not), resulting in a classic authorization bypass through an alternative access path.
Attack Vector
The attack vector is network-based and requires authentication with at least pages.create permission. An authenticated attacker can exploit this vulnerability by:
- Authenticating to the Kirby CMS REST API with valid credentials
- Crafting a page creation request that includes isDraft: false in the request payload
- Sending the request to the page creation endpoint
- The page is created in a published state, bypassing the intended editorial review workflow
This allows content to be published without requiring the pages.changeStatus permission, effectively circumventing organizational content approval processes. The attacker must have valid credentials with pages.create permission, but does not need pages.changeStatus permission to publish content directly.
Detection Methods for CVE-2026-40099
Indicators of Compromise
- Unexpected published pages appearing without corresponding draft-to-published status change logs
- REST API requests containing isDraft: false parameter from users who lack pages.changeStatus permission
- Pages published by users whose role blueprints explicitly deny pages.changeStatus
- Audit log discrepancies showing page creation without subsequent status change events
Detection Strategies
- Monitor REST API logs for page creation requests that include the isDraft parameter set to false
- Implement alerting for pages published by users without explicit pages.changeStatus authorization
- Review Kirby access logs for patterns of direct page publication bypassing the Panel workflow
- Cross-reference user permissions against published content to identify unauthorized publications
Monitoring Recommendations
- Enable detailed API request logging for all page creation endpoints
- Implement role-based monitoring to track actions performed by users with limited permissions
- Configure alerts for content publication events that skip the standard draft workflow
- Regularly audit user permissions against their actual content management activities
How to Mitigate CVE-2026-40099
Immediate Actions Required
- Upgrade Kirby CMS to version 4.9.0 or later for the 4.x branch
- Upgrade Kirby CMS to version 5.4.0 or later for the 5.x branch
- Review recently published pages to identify any unauthorized publications
- Audit user accounts with pages.create permission to verify appropriate access levels
Patch Information
Kirby has released security patches in versions 4.9.0 and 5.4.0 that address this vulnerability. The fix adds a check to the page creation rules that ensures users without the pages.changeStatus permission cannot create published pages—only page drafts. For complete details, see the GitHub Security Advisory GHSA-w942-j9r6-hr6r, Kirby 4.9.0 Release Notes, and Kirby 5.4.0 Release Notes.
Workarounds
- Restrict REST API access to trusted users only until patching is possible
- Implement a web application firewall (WAF) rule to block or flag page creation requests containing isDraft: false from untrusted sources
- Temporarily revoke pages.create permission from users who should not have publishing capabilities
- Monitor and manually review all newly published content until the patch is applied
# Configuration example
# Review and update user blueprints to restrict permissions
# File: site/blueprints/users/editor.yml
# Before patching, consider removing pages.create from users
# who should not be able to publish directly
permissions:
pages:
create: false
changeStatus: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
