Listen to this Post
The vulnerability arises from missing authorization checks in Kirby CMS versions prior to 4.9.0 and 5.4.0. Authenticated Panel users with low-privileged roles can perform actions not intended for their access level. Specifically, Kirby did not implement permission settings to control access to the site model, user objects, and user roles. When a site developer disabled all permissions using the wildcard `””: false` setting, only actions explicitly gated by existing permissions were blocked. Actions like viewing the site model, listing users, and accessing role information (names, descriptions, permissions) remained unprotected. The following permissions were absent: site.access, user.access, `users.access` (for own and other users), user.list, and users.list. Additionally, access to role metadata was not restricted by any user-based permission. Attackers with a valid Panel account can exploit this by directly accessing API endpoints or Panel views that expose sensitive configuration and user data. Write actions are not affected because they already require specific permissions. The vulnerability is of high severity for sites where not all authenticated users are trusted to view the entire user base and site structure. Patches introduced in Kirby 4.9.0 and 5.4.0 add the missing permission checks, closing the authorization gap.
dailycve form:
Platform: Kirby
Version: <4.9.0,<5.4.0
Vulnerability : Missing Authorization
Severity: High
date: Unknown
Prediction: Already patched
What Undercode Say:
Analytics
Check installed Kirby version composer show getkirby/cms | grep versions List all Panel users (requires CLI with sufficient access) php kirby users:list Audit permissions for a specific role grep -r "permissions" site/blueprints/users/.yml
Exploit:
Authenticated low-privilege user sends GET request to `/api/panel/users` or `/api/panel/roles` without proper permissions. Kirby prior to patch returns full user and role lists including sensitive metadata. Example using Panel API token:
curl -H "X-Fingerprint: <token>" https://target.com/api/panel/users
Protection from this CVE
Update to Kirby 4.9.0, 5.4.0, or later. If unable to update, manually enforce authorization checks via custom plugins or disable Panel access for untrusted users. Set site.access, user.access, and `users.access` to `false` in role blueprints after patching.
Impact
Unauthorized viewing of site model (e.g., site settings, content structure), listing of all Panel users and their roles, exposure of role permissions and descriptions, and access to individual user profiles including own and others’ metadata. No write or delete actions are possible.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
