CVE-2026-42051 Overview
CVE-2026-42051 is an information disclosure vulnerability in Kirby, an open-source content management system (CMS). The system API endpoint exposes license data and installed version information to any authenticated user, regardless of permission level. This issue is classified as Missing Authorization [CWE-862] and affects Kirby versions prior to 4.9.0 and 5.4.0. The vendor patched the flaw in versions 4.9.0 and 5.4.0.
The vulnerability allows low-privileged authenticated users to retrieve sensitive operational metadata. Disclosure of the installed version simplifies reconnaissance for follow-on attacks targeting known weaknesses in specific Kirby releases.
Critical Impact
Authenticated users with minimal privileges can retrieve license details and exact version information through the system API endpoint, enabling targeted reconnaissance against Kirby installations.
Affected Products
- Kirby CMS versions prior to 4.9.0
- Kirby CMS versions prior to 5.4.0
- Self-hosted Kirby deployments exposing the Panel and system API to authenticated users
Discovery Timeline
- 2026-05-09 - CVE-2026-42051 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42051
Vulnerability Analysis
The vulnerability resides in Kirby's system API endpoint, which serves operational metadata to the administrative Panel. The endpoint returns license data and the installed Kirby version without verifying whether the requesting authenticated user has authorization to view that information.
Kirby supports role-based access where editors, clients, or custom roles may hold accounts with limited privileges. Under the affected versions, any authenticated session can query the system endpoint and receive the same response as an administrator. The leaked data includes license identifiers and the exact installed version string.
An attacker who compromises or registers any low-privileged account gains immediate visibility into the deployment's licensing posture and patch level. Knowing the precise version allows the attacker to match the target against public advisories and select exploitation paths with high reliability.
Root Cause
The root cause is missing authorization on the system API endpoint [CWE-862]. The endpoint authenticates the caller but does not enforce a role or permission check before returning license and version fields. Sensitive metadata is treated as broadly readable rather than restricted to administrative roles.
Attack Vector
Exploitation requires network access to the Kirby Panel and valid credentials for any user account. The attacker authenticates, issues a request to the system API endpoint, and parses the response for the license block and version string. No user interaction beyond the attacker's own session is required, and the action leaves traces that resemble normal Panel usage.
The vulnerability is described in the GitHub Security Advisory GHSA-x68m-c7jf-2572.
Detection Methods for CVE-2026-42051
Indicators of Compromise
- Authenticated requests to the Kirby system API endpoint originating from non-administrative user accounts
- Repeated system endpoint queries from a single session within a short time window, suggesting automated enumeration
- Panel access from unexpected IP ranges followed by system metadata requests
Detection Strategies
- Review Kirby Panel and web server access logs for GET requests to the system API path from accounts that do not hold administrative roles
- Correlate authentication events with subsequent system endpoint calls to identify low-privileged accounts probing metadata
- Alert on anomalous query patterns where the same session repeatedly polls the system endpoint
Monitoring Recommendations
- Forward Kirby and reverse proxy logs to a centralized log platform and retain them for incident review
- Baseline normal Panel API usage per role, then alert on deviations such as editors accessing system endpoints
- Monitor for new account creation followed by immediate system endpoint queries, a pattern consistent with reconnaissance
How to Mitigate CVE-2026-42051
Immediate Actions Required
- Upgrade Kirby to version 4.9.0 or 5.4.0, depending on the major release in use
- Audit existing Panel user accounts and remove or disable accounts that are no longer required
- Rotate any license keys that may have been exposed to non-administrative users
Patch Information
The vendor released fixed builds in Kirby 4.9.0 and Kirby 5.4.0. Both releases enforce authorization on the system API endpoint so that license and version data are only returned to users with appropriate privileges. Administrators should apply the patch matching their installed major version.
Workarounds
- Restrict Panel access to trusted networks using web server or firewall rules until the patch is applied
- Limit Panel account provisioning to users with a confirmed operational need
- Place the Kirby Panel behind an authenticating reverse proxy that enforces additional access controls on the system API path
# Example: verify installed Kirby version after upgrade
composer show getkirby/cms | grep versions
# Example: restrict Panel access at the web server (nginx)
location /panel/ {
allow 10.0.0.0/8;
deny all;
try_files $uri $uri/ /index.php?$query_string;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
