CVE-2026-41325: Authorization Bypass via Blueprint Injection in Kirby CMS
Vulnerability ID: CVE-2026-41325
CVSS Score: 7.1
Published: 2026-04-24
Kirby CMS versions prior to 4.9.0 and 5.4.0 suffer from an incorrect authorization vulnerability (CWE-863) allowing authenticated users to bypass resource creation restrictions. By injecting a malicious blueprint payload during model creation, attackers can override access controls and provision unauthorized pages, files, or users.
TL;DR
Authenticated users can bypass creation privileges in Kirby CMS by injecting a custom blueprint configuration into API requests.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-863
- Attack Vector: Network
- CVSS 4.0 Score: 7.1
- EPSS Score: 0.03%
- Impact: High Integrity Loss
- Exploit Status: Proof of Concept Available
- Authentication: Required (Low Privilege)
Affected Systems
- Kirby CMS Core
- Kirby CMS Panel
- Kirby CMS API
-
getkirby/kirby: < 4.9.0 (Fixed in:
4.9.0) -
getkirby/kirby: >= 5.0.0, < 5.4.0 (Fixed in:
5.4.0)
Mitigation Strategies
- Upgrade to Kirby CMS 4.9.0 or 5.4.0 immediately.
- Audit custom API endpoints for similar property injection vectors.
- Review user roles and minimize Panel access privileges where possible.
Remediation Steps:
- Identify the current running version of Kirby CMS via the Panel or source code.
- Apply the appropriate update via Composer or manual installation corresponding to your major release branch.
- Verify the functionality of resource creation workflows post-update to ensure templates remain intact.
- Inspect recent system logs for unauthorized page, file, or user creation events prior to the update.
References
- GitHub Security Advisory GHSA-6gqr-mx34-wh8r
- CVE Record CVE-2026-41325
- NVD Entry CVE-2026-41325
- MITRE ATT&CK T1068
Read the full report for CVE-2026-41325 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)