CVE-2026-49274 in Kirbyinfo

Summary

by MITRE • 07/09/2026

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue is fixed in versions 4.9.4 and 5.4.4.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability affects Kirby content management systems prior to versions 4.9.4 and 5.4.4, specifically targeting the pages field functionality when users possess roles with disabled pages.access permissions. The flaw stems from insufficient input validation within the page picker backend component that allows authenticated users to manipulate the parent page selection process. Attackers can exploit this weakness by providing inaccessible parent pages or sites to the page picker interface, effectively bypassing intended access controls.

The technical implementation of this vulnerability resides in the backend validation logic that fails to properly sanitize user-provided parent page identifiers when processing page selection requests. This creates a scenario where users with restricted permissions can enumerate and verify the existence of pages they should not be able to access, while also retrieving title field values from those restricted resources. The vulnerability manifests through the pages field's interaction with the backend page picker functionality, which does not adequately enforce permission boundaries when processing user input.

The operational impact of this vulnerability extends beyond simple information disclosure, as it enables authenticated users to perform unauthorized reconnaissance activities against the CMS structure. Attackers can systematically test various page identifiers to determine which pages exist within the system, potentially uncovering sensitive content or administrative resources that should remain hidden. This reconnaissance capability allows for more targeted attacks and can facilitate privilege escalation attempts by identifying critical system components or user-specific pages.

The security implications align with CWE-200, which addresses information exposure through improper access control mechanisms, and CWE-639, which covers authorization bypasses through user-controlled input. From an ATT&CK framework perspective, this vulnerability maps to T1068, which involves privilege escalation through insecure direct object references, and T1566, which encompasses initial access via spearphishing or other social engineering techniques that could leverage the reconnaissance capabilities provided by this flaw.

Mitigation strategies should focus on implementing proper input validation and access control enforcement within the page picker backend components. System administrators must upgrade to Kirby versions 4.9.4 or 5.4.4 to receive the necessary security patches that address the insufficient permission checking. Additional protective measures include implementing stricter role-based access controls, monitoring for unusual page enumeration patterns, and conducting regular security assessments of CMS configurations to identify potential authorization bypass opportunities. Organizations should also consider implementing network-level restrictions and logging mechanisms to detect anomalous access patterns that could indicate exploitation attempts against similar vulnerabilities.

Responsible

GitHub M

Reservation

05/28/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!