CVE-2026-41325 Overview
CVE-2026-41325 is an authorization bypass vulnerability in Kirby, an open-source content management system. The flaw exists in how Kirby handles user permissions during the creation of pages, files, and users. Prior to versions 4.9.0 and 5.4.0, attackers with low-privileged access could inject custom dynamic blueprint configuration into model data, effectively overriding the permissions and options configured by site developers in user and model blueprints.
Critical Impact
Authenticated attackers can bypass permission controls by injecting 'create' => true into the blueprint property, circumventing access restrictions and potentially creating unauthorized content within the CMS.
Affected Products
- Kirby CMS versions prior to 4.9.0
- Kirby CMS versions prior to 5.4.0
- getkirby kirby
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-41325 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-41325
Vulnerability Analysis
This vulnerability (CWE-863: Incorrect Authorization) stems from insufficient validation of user-supplied data during the creation of content models in Kirby CMS. The platform's permission system relies on blueprints defined in site/blueprints/users/ for user roles and site/blueprints/pages/ for page-specific controls, with additional customization available through the options feature in model blueprints.
The core issue is that the normalization code used during the creation of pages, files, and users did not properly filter the blueprint property from incoming requests. This allowed authenticated users to inject arbitrary blueprint configuration, including permission overrides, directly into the creation payload.
Root Cause
The root cause is improper input validation in the model creation workflow. Kirby's permission system combines pages.create, files.create, and users.create permissions with blueprint-level options to determine authorization. However, the system failed to sanitize the blueprint property during model instantiation, allowing malicious users to inject dynamic configuration that overrides the intended access controls.
Attack Vector
The attack requires network access and valid low-privileged credentials to the Kirby CMS administrative interface. An attacker can exploit this vulnerability by crafting a malicious creation request that includes an injected blueprint property with options containing 'create' => true. When the CMS processes this request, the injected configuration takes precedence over the developer-configured permissions, granting the attacker unauthorized creation capabilities.
The exploitation flow involves:
- Authenticating to the Kirby CMS panel with any valid user account
- Intercepting or crafting a page, file, or user creation request
- Injecting a blueprint property containing malicious options configuration
- Bypassing the permission checks to create unauthorized content
For detailed technical information about the exploitation mechanism, refer to the GitHub Security Advisory GHSA-6gqr-mx34-wh8r.
Detection Methods for CVE-2026-41325
Indicators of Compromise
- Unexpected pages, files, or users created by accounts that should not have creation permissions
- Web server logs showing creation requests containing unusual blueprint parameters from low-privileged users
- Audit trails indicating permission elevation during content creation operations
Detection Strategies
- Monitor Kirby CMS access logs for POST requests to creation endpoints containing blueprint parameters
- Implement application-level logging to track all page, file, and user creation events with associated user roles
- Deploy web application firewalls (WAF) with rules to detect injection patterns in CMS creation requests
- Review existing content for items created by users who should not have had creation permissions
Monitoring Recommendations
- Enable verbose logging in Kirby CMS to capture detailed request payloads for forensic analysis
- Set up alerts for content creation events by users with restricted roles
- Regularly audit user permissions against actual content creation activity
How to Mitigate CVE-2026-41325
Immediate Actions Required
- Upgrade Kirby CMS to version 4.9.0 or 5.4.0 immediately
- Review recently created pages, files, and users for any unauthorized content
- Audit user accounts and permissions to ensure proper access controls are in place
- Consider temporarily restricting CMS access to trusted administrators until patching is complete
Patch Information
The Kirby development team has addressed this vulnerability in versions 4.9.0 and 5.4.0. The patch updates the normalization code used during the creation of pages, files, and users to include a filter for the blueprint property, preventing the injection of dynamic blueprint configuration into creation requests.
Workarounds
- Restrict access to the Kirby panel to only trusted IP addresses using web server configuration
- Implement additional authentication layers (e.g., VPN, IP whitelisting) for CMS administrative access
- Temporarily disable user accounts that do not require content creation capabilities
- Deploy a web application firewall with custom rules to block requests containing blueprint injection patterns
# Example: Restrict Kirby panel access by IP in Apache .htaccess
<Directory "/path/to/kirby/panel">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
