CVE-2026-42069
published 2026-05-09CVE-2026-42069: Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by…
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.23%
13.8th percentile
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getkirby | cms | >= 0 < 4.9.0 | 4.9.0 |
| getkirby | cms | >= 5.0.0 < 5.4.0 | 5.4.0 |
| getkirby | kirby | < 4.9.0 | 4.9.0 |
| getkirby | kirby | — | — |
| getkirby | kirby | >= 5.0.0 < 5.4.0 | 5.4.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
getkirby up to 4.8.x/5.3.x authorization (GHSA-2h7v-4372-f6x2)
vuldb·2026-05-09·CVSS 7.1
CVE-2026-42069 [HIGH] getkirby up to 4.8.x/5.3.x authorization (GHSA-2h7v-4372-f6x2)
A vulnerability was found in getkirby kirby up to 4.8.x/5.3.x. It has been rated as problematic. The impacted element is an unknown function. The manipulation leads to missing authorization.
This vulnerability is traded as CVE-2026-42069. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is advised.
GHSA
Kirby CMS's read access to site, user and role information is not gated by permissions
ghsa·2026-05-04
CVE-2026-42069 [HIGH] CWE-862 Kirby CMS's read access to site, user and role information is not gated by permissions
Kirby CMS's read access to site, user and role information is not gated by permissions
### TL;DR
This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.
**This vulnerability is of high severity for affected sites.**
Sites using Kirby are *not* affected if they intend all users of the site to be able to list and access the site model and all users and roles, including the content stored within these models. Write actions are *not* affected by this vulnerability as they were gated by permissions before.
----
### Introduction
Missing authorization allows authenticated users to perform actions they are not intended to have access to.
The effects of missing authorization can include unauthorized access to sensitive inform
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-09
Published