CVE-2026-50188 in Kirbyinfo

Summary

by MITRE • 07/09/2026

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins using the Kirby Http Remote class, including Remote::request(), Remote::get(), and Remote::post(), to send outgoing HTTP requests with untrusted data in the headers option could allow newline characters in a header value to inject a separate unintended request header to the remote service. This issue is fixed in versions 4.9.4 and 5.4.4.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability affects Kirby content management systems where the Http Remote class is utilized for sending outgoing HTTP requests. This flaw specifically impacts versions prior to 4.9.4 and 5.4.4, creating a security risk when the system processes untrusted data within header values. The issue stems from inadequate input validation and sanitization of header parameters passed to methods such as Remote::request(), Remote::get(), and Remote::post(). When developers incorporate user-supplied or external data into HTTP headers without proper filtering, the system becomes susceptible to header injection attacks.

The technical exploitation occurs through newline character injection within header values, which allows attackers to manipulate the HTTP request structure. This vulnerability enables an attacker to inject additional header fields that can alter the intended behavior of outgoing requests. The injected headers may redirect requests to malicious endpoints, modify authentication tokens, or otherwise compromise the integrity of communications between the Kirby system and external services. This type of vulnerability aligns with CWE-113, which describes improper neutralization of input during web output, specifically concerning header injection flaws that can lead to unauthorized access or data manipulation.

The operational impact of this vulnerability extends beyond simple header manipulation as it can enable various attack vectors including but not limited to cross-site request forgery, authentication bypass attempts, and data exfiltration. Attackers could potentially exploit this weakness to redirect requests to their own servers, capture sensitive information from legitimate communications, or even perform unauthorized actions on behalf of the Kirby system. The risk is particularly elevated when plugins utilize the affected Remote class methods, as these extensions often handle user input or external data sources that may not be properly validated before being used in HTTP headers.

Security mitigations for this vulnerability primarily involve upgrading to patched versions 4.9.4 and 5.4.4 where proper input sanitization has been implemented. Organizations should also implement comprehensive input validation practices, particularly when dealing with user-supplied data that might eventually be used in HTTP headers. The remediation strategy should include filtering newline characters and other potentially dangerous sequences from header values before they are processed by the Remote class methods. Additionally, developers should adopt principle of least privilege when configuring outbound HTTP requests, limiting the exposure of sensitive information through headers and implementing proper logging to detect unusual header patterns that might indicate injection attempts.

This vulnerability demonstrates the importance of secure coding practices in web applications and aligns with ATT&CK technique T1071.004 for application layer protocol manipulation. The issue highlights how seemingly benign functionality can become a security risk when input validation is insufficient, emphasizing the need for robust sanitization routines in all user-facing data processing pathways. Organizations should conduct thorough code reviews focusing on HTTP request handling components and ensure that all external libraries and CMS plugins are updated to their latest secure versions to prevent exploitation of similar injection vulnerabilities.

Responsible

GitHub M

Reservation

06/04/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!