CVE-2026-42137: CWE-862: Missing Authorization in getkirby kirby
Kirby CMS versions prior to 4. 9. 0 and between 5. 0. 0 and 5. 4. 0 have a missing authorization vulnerability where permissions for 'pages. access/list' and 'files. access/list' are not consistently enforced in the Panel and REST API. This issue allows users with limited privileges to potentially access lists of pages and files without proper authorization.
AI Analysis
Technical Summary
CVE-2026-42137 describes a missing authorization vulnerability in the Kirby content management system. Specifically, before versions 4.9.0 and 5.4.0, the system does not consistently check 'pages.access/list' and 'files.access/list' permissions in both the administrative Panel and REST API endpoints. This inconsistency can lead to unauthorized access to lists of pages and files. The vulnerability is classified under CWE-862 (Missing Authorization) and CWE-863 (Incorrect Authorization). The issue has been fixed in Kirby versions 4.9.0 and 5.4.0.
Potential Impact
The vulnerability allows users with limited privileges to access lists of pages and files without proper authorization, potentially exposing sensitive content metadata. The CVSS 4.0 score of 7.1 (high severity) reflects the network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Kirby CMS to version 4.9.0 or later if using the 4.x branch, or to version 5.4.0 or later if using the 5.x branch. These versions contain the official fix that enforces consistent permission checks for 'pages.access/list' and 'files.access/list' in both the Panel and REST API. Patch status is confirmed by the vendor advisory stating the issue is fixed in these versions.
CVE-2026-42137: CWE-862: Missing Authorization in getkirby kirby
Description
Kirby CMS versions prior to 4. 9. 0 and between 5. 0. 0 and 5. 4. 0 have a missing authorization vulnerability where permissions for 'pages. access/list' and 'files. access/list' are not consistently enforced in the Panel and REST API. This issue allows users with limited privileges to potentially access lists of pages and files without proper authorization.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42137 describes a missing authorization vulnerability in the Kirby content management system. Specifically, before versions 4.9.0 and 5.4.0, the system does not consistently check 'pages.access/list' and 'files.access/list' permissions in both the administrative Panel and REST API endpoints. This inconsistency can lead to unauthorized access to lists of pages and files. The vulnerability is classified under CWE-862 (Missing Authorization) and CWE-863 (Incorrect Authorization). The issue has been fixed in Kirby versions 4.9.0 and 5.4.0.
Potential Impact
The vulnerability allows users with limited privileges to access lists of pages and files without proper authorization, potentially exposing sensitive content metadata. The CVSS 4.0 score of 7.1 (high severity) reflects the network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Kirby CMS to version 4.9.0 or later if using the 4.x branch, or to version 5.4.0 or later if using the 5.x branch. These versions contain the official fix that enforces consistent permission checks for 'pages.access/list' and 'files.access/list' in both the Panel and REST API. Patch status is confirmed by the vendor advisory stating the issue is fixed in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-24T17:15:21.833Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ffe1afcbff5d8610eac9f8
Added to database: 5/10/2026, 1:38:55 AM
Last enriched: 5/10/2026, 1:39:35 AM
Last updated: 5/10/2026, 8:43:21 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.