Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41325

CVE-2026-41325: Getkirby Kirby Auth Bypass Vulnerability

CVE-2026-41325 is an authentication bypass vulnerability in Getkirby Kirby CMS that allows attackers to override user permissions by injecting dynamic blueprint configuration. This post covers technical details, affected versions, and patches.

Published:

CVE-2026-41325 Overview

CVE-2026-41325 is an authorization bypass vulnerability in Kirby, an open-source content management system. The flaw exists in how Kirby handles user permissions during the creation of pages, files, and users. Prior to versions 4.9.0 and 5.4.0, attackers with low-privileged access could inject custom dynamic blueprint configuration into model data, effectively overriding the permissions and options configured by site developers in user and model blueprints.

Critical Impact

Authenticated attackers can bypass permission controls by injecting 'create' => true into the blueprint property, circumventing access restrictions and potentially creating unauthorized content within the CMS.

Affected Products

  • Kirby CMS versions prior to 4.9.0
  • Kirby CMS versions prior to 5.4.0
  • getkirby kirby

Discovery Timeline

  • 2026-04-24 - CVE CVE-2026-41325 published to NVD
  • 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-41325

Vulnerability Analysis

This vulnerability (CWE-863: Incorrect Authorization) stems from insufficient validation of user-supplied data during the creation of content models in Kirby CMS. The platform's permission system relies on blueprints defined in site/blueprints/users/ for user roles and site/blueprints/pages/ for page-specific controls, with additional customization available through the options feature in model blueprints.

The core issue is that the normalization code used during the creation of pages, files, and users did not properly filter the blueprint property from incoming requests. This allowed authenticated users to inject arbitrary blueprint configuration, including permission overrides, directly into the creation payload.

Root Cause

The root cause is improper input validation in the model creation workflow. Kirby's permission system combines pages.create, files.create, and users.create permissions with blueprint-level options to determine authorization. However, the system failed to sanitize the blueprint property during model instantiation, allowing malicious users to inject dynamic configuration that overrides the intended access controls.

Attack Vector

The attack requires network access and valid low-privileged credentials to the Kirby CMS administrative interface. An attacker can exploit this vulnerability by crafting a malicious creation request that includes an injected blueprint property with options containing 'create' => true. When the CMS processes this request, the injected configuration takes precedence over the developer-configured permissions, granting the attacker unauthorized creation capabilities.

The exploitation flow involves:

  1. Authenticating to the Kirby CMS panel with any valid user account
  2. Intercepting or crafting a page, file, or user creation request
  3. Injecting a blueprint property containing malicious options configuration
  4. Bypassing the permission checks to create unauthorized content

For detailed technical information about the exploitation mechanism, refer to the GitHub Security Advisory GHSA-6gqr-mx34-wh8r.

Detection Methods for CVE-2026-41325

Indicators of Compromise

  • Unexpected pages, files, or users created by accounts that should not have creation permissions
  • Web server logs showing creation requests containing unusual blueprint parameters from low-privileged users
  • Audit trails indicating permission elevation during content creation operations

Detection Strategies

  • Monitor Kirby CMS access logs for POST requests to creation endpoints containing blueprint parameters
  • Implement application-level logging to track all page, file, and user creation events with associated user roles
  • Deploy web application firewalls (WAF) with rules to detect injection patterns in CMS creation requests
  • Review existing content for items created by users who should not have had creation permissions

Monitoring Recommendations

  • Enable verbose logging in Kirby CMS to capture detailed request payloads for forensic analysis
  • Set up alerts for content creation events by users with restricted roles
  • Regularly audit user permissions against actual content creation activity

How to Mitigate CVE-2026-41325

Immediate Actions Required

  • Upgrade Kirby CMS to version 4.9.0 or 5.4.0 immediately
  • Review recently created pages, files, and users for any unauthorized content
  • Audit user accounts and permissions to ensure proper access controls are in place
  • Consider temporarily restricting CMS access to trusted administrators until patching is complete

Patch Information

The Kirby development team has addressed this vulnerability in versions 4.9.0 and 5.4.0. The patch updates the normalization code used during the creation of pages, files, and users to include a filter for the blueprint property, preventing the injection of dynamic blueprint configuration into creation requests.

Workarounds

  • Restrict access to the Kirby panel to only trusted IP addresses using web server configuration
  • Implement additional authentication layers (e.g., VPN, IP whitelisting) for CMS administrative access
  • Temporarily disable user accounts that do not require content creation capabilities
  • Deploy a web application firewall with custom rules to block requests containing blueprint injection patterns
bash
# Example: Restrict Kirby panel access by IP in Apache .htaccess
<Directory "/path/to/kirby/panel">
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.0/24
    Allow from 10.0.0.0/8
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.