Home

Description

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue is fixed in versions 4.9.4 and 5.4.4.

PUBLISHED Reserved 2026-05-28 | Published 2026-07-09 | Updated 2026-07-14 | Assigner GitHub_M




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862: Missing Authorization

Product status

< 4.9.4
affected

>= 5.0.0, < 5.4.4
affected

References

github.com/.../kirby/security/advisories/GHSA-23q2-54qv-rq5x

github.com/...ommit/1ae575da24e1b1cb8803a031d37eff14606d7c55

github.com/...ommit/3bad37117adf2013548a784f820ddb2d8317333c

github.com/...ommit/3f4398cdcf9f50f84fdac52ad78a7a85fb31589f

github.com/...ommit/bffffce6c081f69c46163cc89b1fd18ccf2a18d1

github.com/getkirby/kirby/releases/tag/4.9.4

github.com/getkirby/kirby/releases/tag/5.4.4

cve.org (CVE-2026-49274)

nvd.nist.gov (CVE-2026-49274)

Download JSON