{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41325", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T14:01:46.672Z", "datePublished": "2026-04-24T00:38:50.106Z", "dateUpdated": "2026-04-24T12:11:41.783Z"}, "containers": {"cna": {"title": "Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r"}, {"name": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0"}, {"name": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0"}], "affected": [{"vendor": "getkirby", "product": "kirby", "versions": [{"version": "< 4.9.0", "status": "affected"}, {"version": ">= 5.0.0, < 5.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T00:38:50.106Z"}, "descriptions": [{"lang": "en", "value": "Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. Kirby provides the `pages.create`, `files.create` and `users.create` permissions (among others). These permissions can again be set in the user blueprint and/or in the blueprint of the target model via `options`. Prior to versions 4.9.0 and 5.4.0, Kirby allowed to override the `options` during the creation of pages, files and users by injecting custom dynamic blueprint configuration into the model data. The injected `options` could include `'create' => true`, which then caused an override of the permissions and options configured by the site developer in the user and model blueprints. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. The patched versions have updated the normalization code that is used during the creation of pages, files and users to include a filter for the `blueprint` property. This prevents the injection of dynamic blueprint configuration into the creation request."}], "source": {"advisory": "GHSA-6gqr-mx34-wh8r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T12:11:33.355488Z", "id": "CVE-2026-41325", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T12:11:41.783Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41325", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T14:01:46.672Z", "datePublished": "2026-04-24T00:38:50.106Z", "dateUpdated": "2026-04-24T12:11:41.783Z"}, "containers": {"cna": {"title": "Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r"}, {"name": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0"}, {"name": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0"}], "affected": [{"vendor": "getkirby", "product": "kirby", "versions": [{"version": "< 4.9.0", "status": "affected"}, {"version": ">= 5.0.0, < 5.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T00:38:50.106Z"}, "descriptions": [{"lang": "en", "value": "Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. Kirby provides the `pages.create`, `files.create` and `users.create` permissions (among others). These permissions can again be set in the user blueprint and/or in the blueprint of the target model via `options`. Prior to versions 4.9.0 and 5.4.0, Kirby allowed to override the `options` during the creation of pages, files and users by injecting custom dynamic blueprint configuration into the model data. The injected `options` could include `'create' => true`, which then caused an override of the permissions and options configured by the site developer in the user and model blueprints. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. The patched versions have updated the normalization code that is used during the creation of pages, files and users to include a filter for the `blueprint` property. This prevents the injection of dynamic blueprint configuration into the creation request."}], "source": {"advisory": "GHSA-6gqr-mx34-wh8r", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41325", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T12:11:33.355488Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T12:11:36.571Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*", "matchCriteriaId": "1BB5394F-37F9-4A53-9CE7-79548F674886", "versionEndExcluding": "4.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2D943B9-CD71-45FE-A1A4-158603C3502E", "versionEndExcluding": "5.4.0", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. Kirby provides the `pages.create`, `files.create` and `users.create` permissions (among others). These permissions can again be set in the user blueprint and/or in the blueprint of the target model via `options`. Prior to versions 4.9.0 and 5.4.0, Kirby allowed to override the `options` during the creation of pages, files and users by injecting custom dynamic blueprint configuration into the model data. The injected `options` could include `'create' => true`, which then caused an override of the permissions and options configured by the site developer in the user and model blueprints. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. The patched versions have updated the normalization code that is used during the creation of pages, files and users to include a filter for the `blueprint` property. This prevents the injection of dynamic blueprint configuration into the creation request."}], "id": "CVE-2026-41325", "lastModified": "2026-04-27T19:07:45.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T01:16:12.427", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.9.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "kirby", "source": "cna", "vendor": "getkirby"}, "product": "kirby", "vendor": "getkirby"}], "analysis": {"en": {"generated_at": "2026-04-28T23:49:06.871050+00:00", "value": {"mitigation_remediation": ["Upgrade the Kirby installation to at least version 4.9.0 for the 4.x line or 5.4.0 for the 5.x line, which contains the fixed blueprint filter.", "Examine all custom blueprints and ensure that no dynamic configuration sets a 'create' => true flag for protected roles.", "Restrict access to the content and user creation endpoints to trusted roles and apply network controls to reduce the attack surface.", "Audit any plugins or extensions that may inject blueprint data during creation to confirm they do not re\u2011introduce the vulnerability."], "summary": {"action": "Patch Immediately", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the open-source Kirby CMS product from getkirby:kirby. All releases before 4.9.0 and before 5.4.0 are vulnerable. Any installation that uses the default or custom page, file, or user blueprints where the 'options' feature is enabled is affected.", "description_and_impact": "Kirby CMS allows developers to define granular permissions in user and model blueprints. Prior to version 4.9.0 of the 4.x line and 5.4.0 of the 5.x line, the system permitted the injection of dynamic blueprint configuration into page, file, or user creation requests. An attacker could embed custom options that set a 'create' flag to true, thereby overriding the intended permissions and enabling creation of content or users without the required role. The vulnerability is categorized as CWE-863, improper authorization.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1% indicates a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to submit a creation request that includes custom blueprint configuration. Because the attacker can manipulate the data sent during creation, the threat is to permit unauthorized creation of pages, files, or users with elevated permissions."}}}}, "created": "2026-04-28T06:00:08.467521+00:00", "updated": "2026-04-29T00:00:13.810606+00:00", "vendors": ["getkirby", "getkirby$PRODUCT$kirby"]}