CVE-2026-44174 in Kirby
Summary
by MITRE • 07/16/2026
Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password() (disclosing the password hash) or root() (disclosing the absolute filesystem path on the server) as well as methods that perform impactful actions such as loginPasswordless() (causing a privilege escalation to another user) or delete() (deleting all queried models in one go if the authenticated user has appropriate permissions). This issue has been fixed in versions 4.9.1 and 5.4.1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in Kirby CMS represents a critical authorization bypass and information disclosure weakness that stems from insufficient input validation in collection query processing. This flaw exists in versions prior to 4.9.1 and 5.4.1 where the system fails to properly sanitize model attributes used within collection queries, creating an avenue for malicious actors to inject arbitrary method calls into database operations. The root cause aligns with CWE-20, specifically input validation errors, where the application does not adequately filter or validate user-supplied data before incorporating it into internal processing logic. Attackers can exploit this weakness by crafting malicious collection queries that reference sensitive model methods, bypassing normal access controls and potentially gaining unauthorized access to critical system information.
The technical implications of this vulnerability extend beyond simple data exposure to encompass full privilege escalation capabilities and destructive potential within the application's operational scope. When attackers include methods such as password() in their queries, they can extract password hash values that would otherwise remain protected within the application's security model, effectively undermining authentication mechanisms. Similarly, the root() method disclosure reveals absolute filesystem paths on the server, providing attackers with critical infrastructure information for further exploitation attempts. The vulnerability becomes even more dangerous when considering methods like loginPasswordless(), which can be leveraged to assume the identity of other users without proper authentication, and delete(), which allows for bulk data destruction when combined with appropriate permissions. These capabilities collectively represent a severe compromise of both confidentiality and integrity within the CMS environment.
The operational impact of this vulnerability creates significant risk for organizations relying on Kirby CMS versions prior to the patched releases, as attackers can exploit these weaknesses to gain unauthorized access to sensitive system resources and potentially compromise entire deployments. The vulnerability operates at the application level where authenticated users can leverage their permissions to execute destructive operations that would normally require elevated privileges or additional authentication mechanisms. This represents a direct violation of the principle of least privilege and allows for privilege escalation scenarios that could lead to complete system compromise. Organizations may face data loss, unauthorized access to sensitive information, and potential regulatory compliance violations depending on the nature of data stored within their Kirby installations.
Security mitigations for this vulnerability require immediate patching of affected systems to versions 4.9.1 or 5.4.1 where proper input validation has been implemented. The fix addresses the core issue by implementing comprehensive model attribute validation that prevents arbitrary method inclusion in collection queries, effectively closing the attack vector identified in the vulnerability. Organizations should also implement additional security controls such as query parameter whitelisting, role-based access control enforcement, and regular security auditing of application code to prevent similar issues from arising in other components. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation through application flaws and credential access via insecure authentication mechanisms, making it a critical target for both defensive measures and security monitoring activities. The remediation process should include thorough testing of patched environments to ensure no regression issues affect legitimate application functionality while maintaining the security improvements implemented in the updated versions.