CVE-2026-42137 Overview
CVE-2026-42137 is a missing authorization vulnerability [CWE-862] affecting Kirby, an open-source content management system written in PHP. The flaw exists in versions prior to 4.9.0 and 5.4.0, where pages.access/list and files.access/list permissions are not consistently enforced in the Panel and REST API. Authenticated users with low privileges can access page and file listing data they should not be able to view. The vendor patched the issue in Kirby 4.9.0 and 5.4.0.
Critical Impact
Authenticated low-privilege users can bypass access control checks in the Kirby Panel and REST API to enumerate pages and files restricted by pages.access/list and files.access/list permissions.
Affected Products
- Kirby CMS versions prior to 4.9.0 (4.x branch)
- Kirby CMS versions prior to 5.4.0 (5.x branch)
- Kirby Panel and REST API components
Discovery Timeline
- 2026-05-09 - CVE-2026-42137 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42137
Vulnerability Analysis
The vulnerability resides in how the Kirby Panel and REST API evaluate pages.access/list and files.access/list permissions. These permissions control which users can see specific pages and files in listing operations. The application fails to apply these checks consistently across all code paths that return listing data.
An authenticated user with limited privileges can issue requests to Panel endpoints or REST API routes and receive entries that should be filtered by the access list rules. The result is unauthorized disclosure of content metadata, structure, and potentially confidential file references stored within the CMS.
The weakness is classified under CWE-862: Missing Authorization. The CVSS vector indicates a network-exploitable issue requiring low privileges, with high impact on confidentiality and no impact on integrity or availability.
Root Cause
The root cause is inconsistent permission enforcement. Kirby supports granular access/list permissions on pages and files, but the Panel and REST API code paths did not uniformly invoke these checks before returning listing results. Specific endpoints returned data without first filtering against the caller's effective permissions, allowing the access control model to be bypassed.
Attack Vector
Exploitation requires an authenticated session on the target Kirby installation. The attacker uses a valid Panel or API token and sends crafted requests to listing endpoints. Because the authorization check is missing or skipped, the server returns page and file entries restricted by the configured permissions. No user interaction beyond the attacker's own request is required.
No verified public proof-of-concept code is available for this issue. Refer to the GitHub Security Advisory GHSA-85x2-r8xv-ww8c for vendor-supplied technical details.
Detection Methods for CVE-2026-42137
Indicators of Compromise
- Panel or REST API requests from low-privilege accounts returning page or file entries normally restricted by pages.access/list or files.access/list rules.
- Unusual enumeration patterns against Kirby Panel routes such as /api/pages and /api/files from a single authenticated session.
- Web server logs showing repeated GET requests to listing endpoints with consistent HTTP 200 responses from non-admin users.
Detection Strategies
- Review Kirby and reverse proxy access logs for authenticated users issuing high volumes of requests against Panel and API listing endpoints.
- Compare returned listing items against the requesting user's configured role permissions to identify entries that should have been filtered.
- Audit Kirby role definitions in site/blueprints/users/ and correlate access/list settings with observed API responses.
Monitoring Recommendations
- Forward Kirby application and web server logs to a centralized logging platform for correlation against user role data.
- Alert on authenticated requests to /api/pages/*/children and /api/files endpoints from accounts without administrative privileges.
- Track sudden increases in 200-status responses on Panel and REST API endpoints following permission changes.
How to Mitigate CVE-2026-42137
Immediate Actions Required
- Upgrade Kirby installations on the 4.x branch to version 4.9.0 or later.
- Upgrade Kirby installations on the 5.x branch to version 5.4.0 or later.
- Audit existing user accounts and remove unnecessary Panel access for users who do not require it.
- Review historical Panel and REST API logs for evidence of unauthorized listing access prior to patching.
Patch Information
The vendor released fixes in the Kirby 4.9.0 release and the Kirby 5.4.0 release. Both updates enforce pages.access/list and files.access/list permission checks consistently across the Panel and REST API. Full advisory details are published in GHSA-85x2-r8xv-ww8c.
Workarounds
- Restrict Panel access at the network layer using IP allowlists or VPN gating until the patch is applied.
- Tighten role blueprints to reduce the number of users with Panel login capability.
- Place the Kirby Panel behind an authenticating reverse proxy that requires an additional credential.
# Upgrade Kirby via Composer
composer require getkirby/cms:^5.4.0
# Or for the 4.x branch
composer require getkirby/cms:^4.9.0
# Verify installed version
php -r "require 'kirby/bootstrap.php'; echo (new Kirby\Cms\App())->version();"
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
