CVE-2026-44176 in Kirby
Summary
by MITRE • 07/17/2026
Kirby is an open-source content management system. Versions prior to 4.9.1 and 5.4.1 do not check the `pages.access` permission during page draft rendering. Permissions are defined for each user role in the user blueprint (site/blueprints/users/...). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/...) using the options feature. The permissions and options together control the authorization of user actions. Kirby provides the pages.access and pages.list permissions (among others). The list permission controls whether affected models appear in lists throughout the Panel and REST API. The access permission has the same effect but also disables direct access to the affected models. This vulnerability affects the path resolver for the main CMS router. The resolver takes an input path from the requested URL and determines which model (page or file) should be rendered. When a path is requested that points to a page draft, the resolver checks that the request either contains a valid preview token or is authenticated by a valid user. In affected releases, Kirby allowed page drafts to be rendered if any valid user was authenticated, even if that user did not have access to the specific page model. Authenticated attackers with knowledge of the full path to an existing page draft could then access the rendered frontend page. This could lead to the disclosure of sensitive information, e.g. ahead of the launch of a new product or post. This issue has been fixed in versions 4.9.1 and 5.4.1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
This vulnerability exists within Kirby CMS versions prior to 4.9.1 and 5.4.1 where the path resolver for the main CMS router fails to properly validate pages.access permissions during page draft rendering operations. The flaw occurs because the system checks for valid authentication or preview tokens when accessing page drafts but does not verify whether the authenticated user possesses the necessary access permissions for the specific target model. This represents a critical authorization bypass vulnerability that violates fundamental security principles of least privilege and role-based access control.
The technical implementation of this vulnerability stems from how Kirby handles permission validation in its routing system. While the system correctly validates preview tokens or authentication status, it neglects to enforce the pages.access permission checks that should occur when rendering page drafts. User roles are defined through user blueprints located in site/blueprints/users/ directory, while model-specific permissions can be customized via model blueprints in site/blueprints/pages/. These permissions include pages.access which controls direct access to models and pages.list which governs appearance in lists throughout the Panel and REST API. The absence of access permission validation during draft rendering creates a scenario where any authenticated user can potentially access page drafts they should not have access to, regardless of their assigned role permissions.
The operational impact of this vulnerability is significant as it allows authenticated attackers with knowledge of specific page paths to bypass access controls and view sensitive content that was intended to remain private until publication. This could result in unauthorized disclosure of confidential information such as upcoming product launches, unpublished blog posts, or other sensitive organizational content. The vulnerability specifically affects the path resolver component of the CMS router which processes incoming URL requests and determines which model should be rendered, making it a core architectural weakness that undermines the entire permission system.
This issue aligns with CWE-285 (Improper Authorization) and represents a classic case of insufficient authorization checking in web applications. The vulnerability also maps to ATT&CK technique T1078 (Valid Accounts) as it exploits legitimate authenticated user sessions to gain unauthorized access to restricted content. Organizations using affected versions of Kirby face potential data exposure risks that could compromise business operations, competitive advantages, and regulatory compliance requirements. The fix implemented in versions 4.9.1 and 5.4.1 addresses this by ensuring that page draft rendering operations properly validate pages.access permissions before allowing content delivery.
Mitigation strategies should include immediate upgrade to the patched versions 4.9.1 or 5.4.1, followed by comprehensive review of user permission assignments in both user blueprints and model blueprints to ensure proper access controls are in place. Security teams should also implement monitoring for unauthorized access attempts and consider additional authentication layers such as multi-factor authentication for administrative accounts. Organizations without immediate upgrade capabilities should consider implementing network-level restrictions or reverse proxy configurations that can enforce access control policies at the perimeter level until full patching can be achieved.