CVE-2026-42069 PUBLISHED

Kirby: Read access to site, user and role information is not gated by permissions

Assigner: GitHub_M
Reserved: 23.04.2026 Published: 09.05.2026 Updated: 09.05.2026

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7.1

Product Status

Vendor getkirby
Product kirby
Versions
  • Version < 4.9.0 is affected
  • Version >= 5.0.0, < 5.4.0 is affected

References

Problem Types

  • CWE-862: Missing Authorization CWE