{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/cms--4.8.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["cms (\u003c= 4.8.0)","cms (\u003e= 5.0.0, \u003c= 5.3.3)","Kirby Panel","Kirby REST API"],"_cs_severities":["high"],"_cs_tags":["authorization","cms","web-application"],"_cs_type":"advisory","_cs_vendors":["getkirby"],"content_html":"\u003cp\u003eKirby CMS versions prior to 4.9.0 and between 5.0.0 and 5.3.3 are vulnerable to a missing authorization flaw. This vulnerability impacts Kirby sites where user roles are intentionally configured with restricted access to pages or files through disabled \u003ccode\u003epages.access\u003c/code\u003e, \u003ccode\u003epages.list\u003c/code\u003e, \u003ccode\u003efiles.access\u003c/code\u003e, or \u003ccode\u003efiles.list\u003c/code\u003e permissions. The issue stems from inconsistent permission checks within the Kirby Panel and REST API, allowing authenticated users to access resources they should not be able to. Updating to versions 4.9.0, 5.4.0, or later resolves this vulnerability by implementing consistent permission checks. The vulnerability is identified as CVE-2026-42137.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the Kirby CMS Panel or REST API.\u003c/li\u003e\n\u003cli\u003eThe user attempts to access a page or file for which their role lacks the necessary \u003ccode\u003epages.access\u003c/code\u003e/\u003ccode\u003efiles.access\u003c/code\u003e or \u003ccode\u003epages.list\u003c/code\u003e/\u003ccode\u003efiles.list\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eDue to inconsistent permission checks, the user can view the page or file details via the \u0026ldquo;changes\u0026rdquo; dialog in the Panel, even if listing is disabled.\u003c/li\u003e\n\u003cli\u003eThe user accesses the REST API, which, despite direct access checks, fails to properly filter collections or related models (children, drafts, files, etc.).\u003c/li\u003e\n\u003cli\u003eThe attacker views images associated with restricted site, pages, or user resources in lists within the Panel.\u003c/li\u003e\n\u003cli\u003eThe user exploits the incorrect permission check (using \u003ccode\u003epages.access\u003c/code\u003e instead of \u003ccode\u003epages.list\u003c/code\u003e or \u003ccode\u003efiles.access\u003c/code\u003e instead of \u003ccode\u003efiles.list\u003c/code\u003e in specific API routes).\u003c/li\u003e\n\u003cli\u003eThe user traverses to previous or next files using direct links in the files view, even if those files should not be listable.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information or modifies content due to the bypassed permission checks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows authenticated users to bypass intended access restrictions within Kirby CMS, leading to potential unauthorized access to sensitive information and/or unauthorized content modification. The inconsistent permission checks in the Panel and REST API could result in unintended disclosure of data restricted by role-based access controls. Successful exploitation could compromise the confidentiality and integrity of the affected Kirby CMS instance. While the advisory does not list the number of victims, this flaw impacts any Kirby site with restricted roles.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Kirby CMS version 4.9.0 or 5.4.0 (or later) to patch the vulnerability as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eReview user role permissions and blueprint configurations to ensure appropriate access controls are in place after patching, as described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests to resources that should be restricted, using the rules below, to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints to mitigate potential brute-force attacks attempting to exploit this or other vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T21:03:20Z","date_published":"2026-04-30T21:03:20Z","id":"/briefs/2026-04-kirby-auth-bypass/","summary":"A missing authorization vulnerability in Kirby CMS allows authenticated users to bypass intended access restrictions on pages and files, potentially leading to unauthorized information disclosure and content modification; patched in versions 4.9.0 and 5.4.0.","title":"Kirby CMS Missing Authorization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-kirby-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["cms (\u003c= 4.8.0)","cms (\u003e= 5.0.0, \u003c= 5.3.3)"],"_cs_severities":["high"],"_cs_tags":["authorization","privilege-escalation","web-application"],"_cs_type":"advisory","_cs_vendors":["Kirby"],"content_html":"\u003cp\u003eKirby CMS, a file-based content management system, has a missing authorization flaw that allows authenticated users to access sensitive site, user, and role information without the necessary permissions. This vulnerability affects installations where there are potentially untrusted authenticated users. The issue stems from the lack of permission settings controlling access to the site model, users, and user roles. Specifically, the permissions \u003ccode\u003esite.access\u003c/code\u003e, \u003ccode\u003euser.access\u003c/code\u003e, \u003ccode\u003eusers.access\u003c/code\u003e, \u003ccode\u003euser.list\u003c/code\u003e, and \u003ccode\u003eusers.list\u003c/code\u003e were missing. This vulnerability was reported by @HuajiHD and patched in Kirby versions 4.9.0 and 5.4.0. Sites that explicitly intend all authenticated users to have read access to all site, user, and role information are not affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid credentials for a user account with access to the Kirby Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Kirby Panel using their credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to access the site model data. This could involve accessing specific API endpoints related to site configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to list all users within the Kirby CMS.\u003c/li\u003e\n\u003cli\u003eThe system, lacking proper authorization checks, returns the requested site model and user list data to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to list existing roles, their names, descriptions, and configured permissions.\u003c/li\u003e\n\u003cli\u003eThe system returns the requested role information, again bypassing intended permission restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized knowledge of the site structure, user accounts, and role permissions, which can be used to escalate privileges or further compromise the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker with low-privilege Panel access to enumerate users, roles, and site configurations. This information can be used to identify privileged accounts, understand the site\u0026rsquo;s structure, and potentially escalate privileges by exploiting other vulnerabilities or misconfigurations. This impacts all Kirby sites using versions \u0026lt;= 4.8.0 and versions \u0026gt;= 5.0.0 and \u0026lt;= 5.3.3 where authenticated users are not fully trusted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Kirby version 4.9.0 or 5.4.0 or later to patch the vulnerability as described in the advisory.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions after upgrading to ensure appropriate access controls are in place.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting user and role enumeration endpoints after deploying the below rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kirby-auth-bypass/","summary":"Kirby CMS versions before 4.9.0 and between 5.0.0 and 5.3.3 contain a missing authorization vulnerability, allowing authenticated Panel users to access site model, user, and role information without proper permission checks, potentially leading to unauthorized information disclosure.","title":"Kirby CMS Missing Authorization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-kirby-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cms (\u003c= 4.8.0)","version":"https://jsonfeed.org/version/1.1"}