{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/composer/getkirby/cms-vulnerable--4.9.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["composer/getkirby/cms (vulnerable: \u003c= 4.9.3)","composer/getkirby/cms (vulnerable: \u003e= 5.0.0-alpha.1, \u003c= 5.4.3)"],"_cs_severities":["high"],"_cs_tags":["cms","vulnerability","kirby","information-disclosure","api","webserver"],"_cs_type":"advisory","_cs_vendors":["Kirby"],"content_html":"\u003cp\u003eA high-severity missing authorization vulnerability, identified as CVE-2026-54005, affects Kirby CMS in versions up to 4.9.3 and from 5.0.0-alpha.1 up to 5.4.3. This flaw allows authenticated users to bypass \u003ccode\u003epages.access\u003c/code\u003e permissions and retrieve full content and metadata for arbitrary pages they are not authorized to view. The vulnerability resides in the \u003ccode\u003e/api/site/find\u003c/code\u003e REST API route, which fails to properly check user permissions for queried pages. Discovered by Rizky Muhammad (@EvidentObscurity), this issue could lead to significant sensitive information disclosure, particularly in sites where user roles are configured with granular page access restrictions. The vulnerability does not affect write actions or draft pages, but the ability to enumerate and extract unauthorized published content poses a substantial risk to data confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid credentials for a Kirby CMS user account, potentially through phishing, brute-force, or exploitation of other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe authenticated attacker logs into the Kirby CMS administration panel or directly interacts with the Kirby API.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request targeting the vulnerable \u003ccode\u003e/api/site/find\u003c/code\u003e REST API route.\u003c/li\u003e\n\u003cli\u003eThe request includes \u003ccode\u003epage IDs\u003c/code\u003e or \u003ccode\u003eUUIDs\u003c/code\u003e of specific pages the attacker wishes to access, even if their assigned role does not grant \u003ccode\u003epages.access\u003c/code\u003e permission to those pages.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization check (CVE-2026-54005), the Kirby application processes the request without validating the user's \u003ccode\u003epages.access\u003c/code\u003e rights for the specified pages.\u003c/li\u003e\n\u003cli\u003eThe server responds with the full content and metadata of the requested published pages, including potentially sensitive information, bypassing the intended access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts and analyzes the disclosed data, potentially leading to further compromise or sensitive data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54005 leads to the unauthorized disclosure of sensitive information. Attackers can retrieve the full content and metadata of any published page within the affected Kirby CMS, even if their account lacks explicit \u003ccode\u003epages.access\u003c/code\u003e permissions for those pages. This includes confirming the existence of pages and extracting confidential data stored in page fields. While the vulnerability does not allow for write access or exposure of draft pages, the compromise of information confidentiality can be significant for organizations that rely on Kirby CMS for content management with differentiated access levels. The specific number of victims and sectors affected are not publicly detailed, but any Kirby site with the specified version range and restricted \u003ccode\u003epages.access\u003c/code\u003e configurations is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Kirby CMS to version \u003ca href=\"https://github.com/getkirby/kirby/releases/tag/4.9.4\"\u003e4.9.4\u003c/a\u003e, \u003ca href=\"https://github.com/getkirby/kirby/releases/tag/5.4.4\"\u003e5.4.4\u003c/a\u003e, or a later version to remediate CVE-2026-54005.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM solution to detect suspicious activity related to the \u003ccode\u003e/api/site/find\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for anomalous or high-volume requests targeting the \u003ccode\u003e/api/site/find\u003c/code\u003e route from specific users or IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:24:09Z","date_published":"2026-06-18T15:24:09Z","id":"https://feed.craftedsignal.io/briefs/2026-06-kirby-unauth-page-access/","summary":"An authenticated user can exploit CVE-2026-54005, a high-severity missing authorization vulnerability in Kirby CMS versions \u003c= 4.9.3 and from 5.0.0-alpha.1 to \u003c= 5.4.3, via the `/api/site/find` REST API route to bypass `pages.access` permissions and retrieve sensitive content and metadata from unauthorized pages.","title":"Kirby CMS Missing Authorization Vulnerability in /api/site/find (CVE-2026-54005)","url":"https://feed.craftedsignal.io/briefs/2026-06-kirby-unauth-page-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Composer/Getkirby/Cms (Vulnerable: \u003c= 4.9.3)","version":"https://jsonfeed.org/version/1.1"}