PT-2026-37168 · Kirby · Kirby
Offset
·
Published
2026-05-04
·
Updated
2026-05-11
·
CVE-2026-42174
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Kirby versions prior to 4.9.0
Kirby versions prior to 5.4.0
Description
Missing authorization in the content management system allows authenticated users to create, replace, or delete user avatars even when they lack the necessary permissions to update user information. While the system checks for
files.create and files.delete permissions, it fails to verify the user.update or users.update permissions, which are intended to control the authorization to modify a user's own data or the data of other users. This allows users who only possess file permissions to perform unauthorized changes to user profiles.Recommendations
Update to version 4.9.0 or later.
Update to version 5.4.0 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kirby