cbcvebase.
CVE-2026-54004
published 2026-06-18

CVE-2026-54004: Kirby: Access to files of top-level drafts is not protected by permissions ### TL;DR This vulnerability affects Kirby 5 sites that have the…

medium
Kirby: Access to files of top-level drafts is not protected by permissions

### TL;DR

This vulnerability affects Kirby 5 sites that have the `content.fileRedirects` option enabled (set to `true` or a custom closure) as well as all Kirby 4 sites that haven't explicitly disabled this option.

It was possible to access clean file URLs of top-level drafts (e.g. `/about-us/team.jpg`) without providing authentication, without being authorized to access the top-level draft page, and without providing a valid preview token.

Sites on Kirby 5 using the default configuration are *not* affected by this vulnerability (the `content.fileRedirects` option is disabled by default since Kirby 5.0.0). It was also *not* possible to maliciously access clean file URLs for files stored in page drafts that are not on the top-level (such as `/blog/article/resource.pdf`).

----

### Introduction

Missing authorization allows authenticated users to perform actions they are not intended to have access to.

The effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.

### Affected components

Clean file redirects allow visitors to access files stored in the content folder via natural URLs such as `/about-us/team.jpg` or `/blog/article/resource.pdf`. Kirby detects such requests and redirects them to the actual physical file URLs in the `media` folder.

Kirby 4.8.0 introduced the `content.fileRedirects` option that allowed disabling this behavior to protect against third-party access to original source files. Kirby 5.0.0 then made the secure behavior (disabled option) the default. It is also possible to set the option to a closure to dynamically control access for each individual file.

Files can be stored in pages. Pages can exist as drafts. In this draft state, the page preview is only accessible to users who are authenticated and authorized by the `pages.access` permission or to visitors who hav

Affected

2 ranges
VendorProductVersion rangeFixed in
getkirbycms>= 0 < 4.9.44.9.4
getkirbycms>= 5.0.0-alpha.1 < 5.4.45.4.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.