CVE-2026-54003 in Kirbyinfo

Summary

by MITRE • 07/09/2026

Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting the Forwarded, X-Client-IP, or X-Real-IP request header could allow remote attackers to install the Panel and create the first admin user because local-IP checks trusted those headers incorrectly. This issue is fixed in versions 4.9.4 and 5.4.4.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability affects Kirby content management systems where sites operate behind reverse proxies and utilize specific HTTP headers for client IP identification. The flaw stems from improper validation of forwarded IP addresses, allowing remote attackers to bypass authentication mechanisms that should only permit local network access to the admin panel. When a Kirby site has no configured user accounts and operates on a publicly accessible server, the system incorrectly trusts certain request headers including Forwarded, X-Client-IP, or X-Real-IP without proper verification of their authenticity. This misconfiguration creates a critical security gap where attackers can exploit the trust relationship between the proxy and the application to gain administrative access.

The technical implementation of this vulnerability involves the application's reliance on HTTP headers that are typically used by reverse proxies to communicate the original client IP address to backend servers. When these headers are present in incoming requests, the Kirby application performs local IP checks that incorrectly assume the IP addresses contained within these headers originate from trusted sources. This behavior violates fundamental security principles of input validation and trust boundaries, as the system fails to verify whether the forwarded IP addresses actually correspond to legitimate clients or have been manipulated by attackers. The vulnerability specifically targets installations where no user accounts exist initially, making the attack surface even more concerning as there are no existing authentication mechanisms to prevent unauthorized access.

The operational impact of this vulnerability is severe and potentially catastrophic for affected systems. Remote attackers can exploit this weakness to install the Kirby Panel and create the first administrative user account without any prior credentials or authorization. This allows full control over the content management system, enabling attackers to modify website content, add malicious files, change user permissions, and potentially use the compromised system as a staging area for further attacks. The vulnerability affects both version 4.x and 5.x branches of Kirby, indicating it was a systemic issue rather than an isolated incident, and the lack of proper IP validation creates a persistent risk for organizations that rely on reverse proxies without implementing additional security controls.

Organizations should implement multiple layers of mitigation to address this vulnerability effectively. The primary recommendation involves configuring reverse proxies to either strip or properly validate forwarded headers before they reach the Kirby application, ensuring that only trusted proxy servers can provide client IP information. Security measures should include implementing strict header validation policies and configuring the application to reject forwarded headers from untrusted sources. Additionally, organizations should consider implementing network-level controls such as firewall rules that restrict direct access to administrative endpoints and ensure that only legitimate proxy servers can communicate with the backend application. The fix in versions 4.9.4 and 5.4.4 addresses this by implementing proper header validation mechanisms and strengthening the IP address verification process, aligning with security best practices outlined in CWE categories related to input validation and trust boundary violations.

This vulnerability demonstrates a classic example of insecure handling of forwarded headers that falls under ATT&CK technique T1078 for valid accounts and T1566 for credential stuffing through proxy manipulation. The flaw represents a failure in implementing proper access control mechanisms and highlights the importance of validating all input sources, particularly those that are typically considered trustworthy by default. Organizations should conduct comprehensive security audits to identify similar misconfigurations in their infrastructure and ensure that all applications properly validate IP addresses regardless of source, adhering to principle of least privilege and defense in depth strategies. The vulnerability also underscores the need for proper security configuration management and regular updates to address known weaknesses in open-source software components.

Responsible

GitHub M

Reservation

06/11/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!