Kirby CMS controls user actions on content models through role-based permissions defined in user and model blueprints. Prior to versions 4.9.0 and 5.4.0, the system independently checked 'pages.create' and 'pages.changeStatus' permissions, but the 'changeStatus' permission was not enforced during page creation. As a result, authenticated users with 'pages.create' permission could use the REST API to set the 'isDraft' flag to false, creating published pages immediately and bypassing the normal editorial process. This flaw was addressed in Kirby 4.9.0 and 5.4.0 by enforcing that only users with 'pages.changeStatus' permission can create published pages, otherwise only drafts can be created.

Authenticated users with the 'pages.create' permission could bypass the intended editorial workflow by creating published pages directly via the REST API, potentially leading to unauthorized content publication. This could undermine content control policies within affected Kirby CMS installations. The vulnerability does not allow privilege escalation beyond the 'pages.create' permission and requires authentication.

This vulnerability is patched in Kirby versions 4.9.0 and 5.4.0. Users should upgrade to at least these versions to ensure the fix is applied. There is no official vendor advisory specifying alternative mitigations or temporary fixes. Patch status is not explicitly confirmed beyond the version fixes mentioned, so users should verify their version and update accordingly.