CVE-2026-42069

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0

Description Missing authorization allows authenticated Panel users to access site, user, and role information without proper permission gating. This occurs because permission settings for the site model, users, and user roles were not implemented, meaning that even if a developer disabled all permissions using the "*": false setting, these specific actions remained accessible. The affected areas include the ability to list and access the site model, as well as viewing user and role details, including names, descriptions, and configured permissions. Specifically, the missing permissions were site.access, user.access, users.access, user.list, and users.list.

Recommendations Update to version 4.9.0 or later. Update to version 5.4.0 or later.