CVE-2026-42174 Overview
CVE-2026-42174 is a missing authorization vulnerability [CWE-862] in Kirby, an open-source content management system. The flaw allows authenticated users to create, replace, or delete user avatars without holding the required user update permissions. The Kirby maintainers patched the issue in versions 4.9.0 and 5.4.0.
The vulnerability stems from avatar handling code that fails to enforce the same permission checks applied to other user profile modifications. Any user account with panel access can manipulate avatar files belonging to other users, including administrators.
Critical Impact
Authenticated low-privilege Kirby users can modify or delete avatars of any user account, bypassing the user update permission model and enabling unauthorized integrity changes to user-facing assets.
Affected Products
- Kirby CMS versions prior to 4.9.0 (4.x branch)
- Kirby CMS versions prior to 5.4.0 (5.x branch)
- Kirby Panel deployments that allow non-admin authenticated users
Discovery Timeline
- 2026-05-09 - CVE-2026-42174 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42174
Vulnerability Analysis
Kirby is a file-based content management system (CMS) widely used for building websites and editorial workflows. The platform enforces role-based access control through a permission model that gates actions such as users.update, users.create, and users.delete. These checks normally protect user profile fields, role assignments, and account state changes.
Avatar operations — creation, replacement, and deletion — are logically part of user profile management. Before the patched releases, the avatar handling code paths did not call the user update permission check. An authenticated user with panel access could therefore issue avatar requests targeting other users without holding the appropriate role permission.
The practical impact is integrity loss on user avatar assets. An attacker can replace an administrator's avatar with arbitrary image content or remove avatars across the user directory. Confidentiality and availability of the underlying CMS data are not directly affected.
Root Cause
The root cause is a missing authorization check [CWE-862] in the avatar create, replace, and delete handlers. The code assumed that authenticated panel access was sufficient, rather than re-validating that the acting user held update permission on the target user object. This is a classic broken access control pattern where adjacent operations on the same resource enforce different permission boundaries.
Attack Vector
Exploitation requires an authenticated session in the Kirby Panel. An attacker with any low-privilege panel account submits an avatar upload, replacement, or deletion request through the Panel API, specifying another user as the target. The request succeeds because the handler does not verify the actor's permission to update that user. No user interaction from the victim is required. Full technical details are available in the GitHub Security Advisory GHSA-39cp-6679-8xv2.
Detection Methods for CVE-2026-42174
Indicators of Compromise
- Unexpected avatar file changes in the accounts/ directory tied to user accounts the requester does not own
- Panel API requests to avatar endpoints where the authenticated session principal differs from the target user identifier
- Audit log entries showing avatar create, replace, or delete actions performed by non-admin users against admin accounts
Detection Strategies
- Review Kirby Panel and web server access logs for POST, PATCH, or DELETE requests against avatar endpoints, correlating session user against the URL-targeted user
- Compare the Kirby installation version against the patched releases 4.9.0 and 5.4.0 using software composition analysis tooling
- Hash and inventory user avatar files, then alert on modifications that are not associated with self-service updates
Monitoring Recommendations
- Enable verbose Panel audit logging and forward events to a centralized log store for correlation against authenticated session identity
- Monitor file system changes under the Kirby accounts/ and media/users/ directories using integrity monitoring
- Track Kirby release advisories from the Kirby GitHub repository for follow-on permission-related fixes
How to Mitigate CVE-2026-42174
Immediate Actions Required
- Upgrade Kirby installations on the 4.x branch to version 4.9.0 or later
- Upgrade Kirby installations on the 5.x branch to version 5.4.0 or later
- Audit panel user accounts and remove or downgrade unnecessary low-privilege accounts that retain panel access
- Review recent avatar changes across all user accounts to confirm none were performed by unauthorized actors
Patch Information
The Kirby maintainers released fixes in Kirby 4.9.0 and Kirby 5.4.0. Both releases add the missing user update permission check to the avatar create, replace, and delete code paths. Apply the patch matching your major version branch. See the GitHub Security Advisory GHSA-39cp-6679-8xv2 for full advisory details.
Workarounds
- Restrict Kirby Panel access to trusted administrators using web server access controls or network ACLs until patching is complete
- Disable or remove panel access for user roles that do not require it, reducing the population of accounts that can exploit the flaw
- Set restrictive filesystem permissions on the accounts/ directory and monitor for out-of-band changes pending upgrade
# Verify Kirby version via Composer and upgrade to a patched release
composer show getkirby/cms
# Upgrade to the patched 5.x release
composer require getkirby/cms:^5.4.0
# Or upgrade to the patched 4.x release
composer require getkirby/cms:^4.9.0
# Clear caches after upgrade
rm -rf site/cache/*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
