CVE-2026-42069 Overview
CVE-2026-42069 is a missing authorization vulnerability [CWE-862] in Kirby, an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user, and role information is not gated by permissions. Authenticated users with low privileges can retrieve information they should not be authorized to view. Maintainers patched the issue in Kirby 4.9.0 and 5.4.0.
Critical Impact
Low-privileged authenticated users can read site, user, and role information without the permission checks normally required to access this data.
Affected Products
- Kirby CMS versions prior to 4.9.0 (4.x branch)
- Kirby CMS versions prior to 5.4.0 (5.x branch)
- Self-hosted Kirby installations exposing the Panel or API to authenticated users
Discovery Timeline
- 2026-05-09 - CVE-2026-42069 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42069
Vulnerability Analysis
The flaw is a missing authorization check [CWE-862] in Kirby's data access layer. Read operations against site, user, and role objects do not validate whether the requesting principal holds the permission required to view that data. As a result, any authenticated user, regardless of role, can enumerate sensitive metadata that should be restricted.
The attack vector is network-based and requires a valid low-privileged account. No user interaction is needed. The confidentiality impact is high because exposed data includes user records and role definitions that map to the Panel's access model.
Root Cause
Kirby exposes site, user, and role objects through its Panel and API surfaces. The affected versions invoke read paths that return these objects without first calling the permission gate that other operations use. The authorization layer exists in the framework, but the specific read endpoints bypass it. The maintainers corrected the gap by routing site, user, and role reads through the standard permission check in versions 4.9.0 and 5.4.0.
Attack Vector
An attacker authenticates to a Kirby instance with any low-privileged account. The attacker then issues Panel or API requests that read site configuration, user listings, or role definitions. The server returns the requested data without validating that the account's role permits the read. The attacker uses the disclosed information to map accounts, identify privileged users, and plan further attacks against the application or its operators.
No verified public exploit code is available at this time. For technical details, see the GitHub Security Advisory GHSA-2h7v-4372-f6x2.
Detection Methods for CVE-2026-42069
Indicators of Compromise
- Authenticated Panel or API requests from low-privileged accounts that target /api/users, /api/roles, or site metadata endpoints.
- Unusual enumeration patterns where a single session iterates through user or role identifiers in sequence.
- Successful HTTP 200 responses to user and role read requests originating from accounts that should not have administrative scope.
Detection Strategies
- Review Kirby application logs and reverse proxy access logs for read requests against user, role, and site endpoints grouped by session and account role.
- Compare request volume per account against expected baselines for editor and contributor roles.
- Alert when a non-admin account issues read requests against role definitions, which are not used during normal editorial workflows.
Monitoring Recommendations
- Forward web server and Kirby Panel logs to a central log platform and retain at least 90 days for retrospective hunting.
- Build dashboards that group user and role API calls by role to surface privilege mismatches.
- Track the installed Kirby version across all hosted sites and flag any instance running a release earlier than 4.9.0 or 5.4.0.
How to Mitigate CVE-2026-42069
Immediate Actions Required
- Upgrade Kirby to version 4.9.0 if running the 4.x branch, or 5.4.0 if running the 5.x branch.
- Audit existing Kirby accounts and remove or downgrade any unused or unnecessary low-privileged accounts that could be abused to read restricted data.
- Rotate credentials for any account that may have been used to enumerate site, user, or role information while the host was unpatched.
Patch Information
The Kirby maintainers fixed CVE-2026-42069 in releases 4.9.0 and 5.4.0. Both releases route read access to site, user, and role information through the permission system. Release details are available in the Kirby 4.9.0 release notes and the Kirby 5.4.0 release notes. Refer to the GitHub Security Advisory GHSA-2h7v-4372-f6x2 for the vendor advisory.
Workarounds
- No vendor-supplied workaround is documented; upgrading to a patched release is the supported remediation.
- Where immediate upgrade is not possible, restrict Panel and API access to trusted networks using reverse proxy access controls or IP allowlists.
- Disable or remove low-privileged accounts that are not actively needed until the upgrade is complete.
# Configuration example: verify installed Kirby version via Composer
composer show getkirby/cms | grep versions
# Upgrade to a patched release (choose the line matching your branch)
composer require getkirby/cms:^4.9.0
composer require getkirby/cms:^5.4.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
