CVE-2026-40099: Incorrect Authorization Bypass in Kirby CMS Page Creation
Vulnerability ID: CVE-2026-40099
CVSS Score: 5.3
Published: 2026-04-23
Kirby CMS versions prior to 4.9.0 and 5.4.0 contain an incorrect authorization vulnerability in the REST API. Authenticated users with page creation permissions can bypass editorial workflows to publish content directly, circumventing the intended status change restrictions.
TL;DR
An authorization bypass in Kirby CMS allows attackers with pages.create permissions to publish pages directly via the REST API, bypassing the required pages.changeStatus permission check.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Class: Incorrect Authorization (CWE-863)
- Attack Vector: Network (REST API POST requests)
- Authentication Required: Yes (Requires pages.create permission)
- CVSS v4.0 Score: 5.3 (Medium)
- Confidentiality Impact: None
- Integrity Impact: Low (Unauthorized content publication)
- Availability Impact: None
- CISA KEV Status: Not Listed
Affected Systems
- Kirby CMS Core
- Kirby REST API
-
Kirby CMS: < 4.9.0 (Fixed in:
4.9.0) -
Kirby CMS: >= 5.0.0, < 5.4.0 (Fixed in:
5.4.0)
Code Analysis
Commit: c11d9f2
Core fix for PageRules::create implementing publish authorization logic
Commit: bd55bab
Blueprint injection prevention in normalizeProps
Commit: 402a94d
Introduced validateAccess to enforce area-specific API permissions
Mitigation Strategies
- Upgrade Kirby CMS application core to a patched version
- Audit and restrict 'pages.create' permissions to trusted roles
- Ensure users with 'pages.create' also legitimately require 'pages.changeStatus' as an interim workaround
Remediation Steps:
- Verify the current Kirby CMS version installed on the server.
- Download Kirby 4.9.0 or 5.4.0 from the official repository or update via Composer.
- Deploy the updated codebase to a staging environment and verify that editorial workflows function correctly.
- Deploy the patch to the production environment.
- Audit existing pages to identify any content created and published without appropriate editorial review.
References
- GitHub Security Advisory GHSA-w942-j9r6-hr6r
- Kirby 4.9.0 Release
- Kirby 5.4.0 Release
- Fix Commit: Page Creation Authorization logic
- Fix Commit: Blueprint Injection Prevention
Read the full report for CVE-2026-40099 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)