(Kirby CMS), Authorization Bypass, CVE-2026-41325 (High)

Listen to this Post

The vulnerability is an authorization bypass in Kirby CMS that allows authenticated users to override permission settings when creating pages, files, or users. Kirby’s permission system controls which user roles can perform specific actions. These permissions are defined in user blueprints (site/blueprints/users/...) and can be customised per model in model blueprints (site/blueprints/pages/...) using the `options` feature. Prior to versions 4.9.0 and 5.4.0, Kirby allowed users to inject custom dynamic blueprint configuration into the model data during the creation of pages, files, and users. By injecting an `options` array with 'create' => true, an attacker could override the permissions and options set by the site developer. This bypasses the intended restrictions, effectively performing a privilege escalation. The vulnerability affects sites where a user role lacks pages.create, files.create, or `users.create` permissions, meaning the developer intended to block those actions. The patch in Kirby 4.9.0 and 5.4.0 introduces a filter for the `blueprint` property in the normalisation code, preventing the injection of dynamic blueprint configuration into creation requests.

dailycve form:

Platform: Kirby CMS
Version: <4.9.0,<5.4.0
Vulnerability : Auth Bypass
Severity: High
date: 2026-04-24

Prediction: Patch already available

What Undercode Say:

Analytics show a spike in exploit attempts targeting Kirby’s API endpoints, particularly those handling page and user creation. The attack vector is primarily through authenticated users manipulating the `options` parameter. The majority of affected instances are self-hosted Kirby sites that have not applied the latest security patches. The vulnerability is considered high severity due to the potential for privilege escalation and unauthorised content manipulation.

Bash & Code

Check Kirby version
php -r "include 'kirby/bootstrap.php'; echo kirby()->version();"
List installed composer packages to check kirby/cms version
composer show --locked | grep kirby/cms
Check for vulnerable versions
VERSION=$(php -r "include 'kirby/bootstrap.php'; echo kirby()->version();")
if [[ "$VERSION" < "4.9.0" && "$VERSION" != "5.4.0" ]]; then
echo "Vulnerable to CVE-2026-41325"
else
echo "Not vulnerable"
fi
// Example of a vulnerable creation request (prior to patch)
$data = [
'' => 'Malicious Page',
'blueprint' => 'default',
'options' => ['create' => true] // Injected options to bypass restrictions
];
// Send request to Kirby's API to create a page

Exploit:

An authenticated user can craft a request to the page, file, or user creation endpoint. By including a `blueprint` property in the request data, the attacker injects a dynamic blueprint configuration that overrides the site’s permission settings. For example, a user with no `pages.create` permission can include `’options’ => [‘create’ => true]` in the request, effectively granting themselves the ability to create a page. The injection bypasses the normalisation and validation steps that existed before the patch.

Protection from this CVE

  1. Upgrade Kirby: Update to Kirby 4.9.0 or 5.4.0 or later immediately.
  2. Apply Patch: If upgrading is not possible, apply the patch that filters the `blueprint` property in the creation request normalisation.
  3. Monitor API: Implement logging and monitoring for suspicious API requests that include unexpected `options` parameters.
  4. Restrict API Access: Limit API access to trusted IPs or use additional authentication layers for sensitive actions.

Impact:

  • Privilege Escalation: Authenticated users can bypass permission restrictions, performing actions they should not be allowed to do.
  • Unauthorised Content Creation: Attackers can create pages, files, or users without proper authorisation, leading to content defacement or backdoor user accounts.
  • Data Integrity: Unauthorised changes can compromise the integrity of the CMS content and system information.
  • Compliance Violations: Unauthorised access and content changes may lead to violations of data protection regulations.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top