PT-2026-36818 · Kirby · Kirby
Bastian Allgeier
·
Published
2026-04-30
·
Updated
2026-05-11
·
CVE-2026-42137
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Kirby versions prior to 4.9.0
Kirby versions prior to 5.4.0
Description
Missing authorization allows authenticated users to perform actions they are not intended to have access to, potentially leading to unauthorized access to sensitive information. The issue occurs when
pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. Specifically, models for which access or list permissions were disabled were not consistently hidden in the following scenarios:- The Panel changes dialog listed changed models regardless of listable status.
- The REST API failed to consistently filter collections and related models, including missing checks for children, drafts, files, parents, and siblings of pages; parents and siblings of files; children, drafts, and files of the site model; and files of users.
- Incorrect permission checks were used for site and pages children and search routes, using
pages.accessinstead ofpages.list, andfiles.accessinstead offiles.listfor account, site, pages, and users files and search routes. - Panel images for site, pages, and users were displayed in parent model lists even if the image files were not listable.
- Link targets for previous and next files in the files view were not restricted by listable permissions.
Recommendations
Update to version 4.9.0 or later.
Update to version 5.4.0 or later.
Fix
Incorrect Authorization
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Kirby