cbcvebase.
CVE-2026-54003
published 2026-06-18

CVE-2026-54003: Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header ### TL;DR This vulnerability affects Kirby sites that have no…

critical9.8
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header

### TL;DR

This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` request header.

It was possible to install the Panel (= create the first admin user) in these setups even from remote IP addresses.

**This vulnerability is of critical severity for affected sites.**

Your site is *not* affected if any of the following apply:

- An admin account has already been configured
- The Panel and API are disabled
- The site is not running behind a reverse proxy
- The reverse proxy sets the `X-Forwarded-For` or `Client-IP` header instead of the affected ones.

----

### Introduction

External Initialization is a type of vulnerability that allows attackers to initialize a system or configuration value without authentication.

This can give untrusted actors access to the system or let them control its behavior.

### Affected components

The Kirby Panel and REST API are authenticated by local user accounts. If a Kirby installation does not yet have any users, it first needs to be installed. During the installation process, an initial admin user account is created.

To protect against external initialization attacks that would allow untrusted actors to create an admin user for the Kirby installation, Kirby already checked whether the current request came from a local IP address. This allows installing the Panel in local development setups. Installation on remote servers was only supposed to be possible when the `panel.install` configuration option was enabled.

The `isLocal` check takes all relevant request headers into account and treats a request as non-local as soon as any checked request header contains an external IP address.

### Impact

In affected releases, the `isLocal` check for the installation logic did not properly t

Affected

2 ranges
VendorProductVersion rangeFixed in
getkirbycms>= 0 < 4.9.44.9.4
getkirbycms>= 5.0.0-alpha.1 < 5.4.45.4.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.