Composer/Getkirby/Cms (Vulnerable: <= 4.9.3) - CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/composer/getkirby/cms-vulnerable--4.9.3/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 18 Jun 2026 15:24:09 +0000Kirby CMS Missing Authorization Vulnerability in /api/site/find (CVE-2026-54005)https://feed.craftedsignal.io/briefs/2026-06-kirby-unauth-page-access/Thu, 18 Jun 2026 15:24:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-kirby-unauth-page-access/An authenticated user can exploit CVE-2026-54005, a high-severity missing authorization vulnerability in Kirby CMS versions <= 4.9.3 and from 5.0.0-alpha.1 to <= 5.4.3, via the `/api/site/find` REST API route to bypass `pages.access` permissions and retrieve sensitive content and metadata from unauthorized pages.A high-severity missing authorization vulnerability, identified as CVE-2026-54005, affects Kirby CMS in versions up to 4.9.3 and from 5.0.0-alpha.1 up to 5.4.3. This flaw allows authenticated users to bypass pages.access permissions and retrieve full content and metadata for arbitrary pages they are not authorized to view. The vulnerability resides in the /api/site/find REST API route, which fails to properly check user permissions for queried pages. Discovered by Rizky Muhammad (@EvidentObscurity), this issue could lead to significant sensitive information disclosure, particularly in sites where user roles are configured with granular page access restrictions. The vulnerability does not affect write actions or draft pages, but the ability to enumerate and extract unauthorized published content poses a substantial risk to data confidentiality.

Attack Chain

  1. An attacker obtains valid credentials for a Kirby CMS user account, potentially through phishing, brute-force, or exploitation of other vulnerabilities.
  2. The authenticated attacker logs into the Kirby CMS administration panel or directly interacts with the Kirby API.
  3. The attacker crafts an HTTP GET request targeting the vulnerable /api/site/find REST API route.
  4. The request includes page IDs or UUIDs of specific pages the attacker wishes to access, even if their assigned role does not grant pages.access permission to those pages.
  5. Due to the missing authorization check (CVE-2026-54005), the Kirby application processes the request without validating the user's pages.access rights for the specified pages.
  6. The server responds with the full content and metadata of the requested published pages, including potentially sensitive information, bypassing the intended access controls.
  7. The attacker extracts and analyzes the disclosed data, potentially leading to further compromise or sensitive data exfiltration.

Impact

Successful exploitation of CVE-2026-54005 leads to the unauthorized disclosure of sensitive information. Attackers can retrieve the full content and metadata of any published page within the affected Kirby CMS, even if their account lacks explicit pages.access permissions for those pages. This includes confirming the existence of pages and extracting confidential data stored in page fields. While the vulnerability does not allow for write access or exposure of draft pages, the compromise of information confidentiality can be significant for organizations that rely on Kirby CMS for content management with differentiated access levels. The specific number of victims and sectors affected are not publicly detailed, but any Kirby site with the specified version range and restricted pages.access configurations is at risk.

Recommendation

  • Immediately patch Kirby CMS to version 4.9.4, 5.4.4, or a later version to remediate CVE-2026-54005.
  • Deploy the provided Sigma rules to your SIEM solution to detect suspicious activity related to the /api/site/find endpoint.
  • Monitor web server access logs for anomalous or high-volume requests targeting the /api/site/find route from specific users or IP addresses.
]]>highadvisorycmsvulnerabilitykirbyinformation-disclosureapiwebserver