Threat Advisory

Kirby Vulnerability Permits Admin Creation Through Headers

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Kirby CMS (composer/getkirby/cms) affecting versions up to 4.9.3 and 5.0.0‑alpha.1 through 5.4.3. The issues include missing authorization checks that allow authenticated users to retrieve protected page data, an external initialization flaw that permits creation of an admin account via crafted reverse‑proxy headers, and two cross‑site scripting weaknesses in the DOM sanitisation and writer field that enable stored or self‑XSS attacks. Collectively these vulnerabilities can lead to unauthorized disclosure of confidential content, unauthorized administrative control, and execution of malicious scripts in user browsers, posing significant operational, reputational, and compliance risks for organisations relying on Kirby‑powered sites.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Kirby CMS (composer/getkirby/cms) affecting versions up to 4.9.3 and 5.0.0‑alpha.1 through 5.4.3. The issues include missing authorization checks that allow authenticated users to retrieve protected page data, an external initialization flaw that permits creation of an admin account via crafted reverse‑proxy headers, and two cross‑site scripting weaknesses in the DOM sanitisation and writer field that enable stored or self‑XSS attacks. Collectively these vulnerabilities can lead to unauthorized disclosure of confidential content, unauthorized administrative control, and execution of malicious scripts in user browsers, posing significant operational, reputational, and compliance risks for organisations relying on Kirby‑powered sites.[emaillocker id="1283"]

  • CVE-2026-54005 with a CVSS score of 7.5 – Missing authorization on the /api/site/find route allows authenticated users who know page IDs or UUIDs to retrieve full page content and metadata they are not permitted to see. Exploitation requires a valid user account and knowledge or guess of target page identifiers.
  • CVE-2026-54003 with a CVSS score of 9.0 – Improper handling of Forwarded, X-Client-IP, and X-Real-IP headers lets an attacker bypass the local‑only check during initial panel installation, enabling creation of the first admin account from a remote location. This works on fresh Kirby installations behind a reverse proxy that forwards those headers and with no existing user accounts.
  • CVE-2026-54002 with a CVSS score of 7.5 – Incomplete sanitisation in Dom::sanitize() fails to strip malicious markup injected as children of unknown tags, leading to stored XSS when an authenticated panel user saves content via writer or list fields. Attackers must have edit privileges on the affected fields.
  • CVE-2026-49276 with a CVSS score of 7.5 – The writer field’s link and email marks accept JavaScript URLs, allowing a self‑XSS scenario where a user can be tricked into clicking a malicious link they themselves entered before saving. Exploitation relies on social engineering of an authenticated panel user.

These flaws collectively expose Kirby installations to data leakage, unauthorized admin takeover, and script‑based attacks that can compromise user sessions and alter site content. If exploited, organisations may face loss of confidential information, disruption of services, and damage to brand reputation, potentially triggering regulatory penalties. Prompt remediation is essential to prevent attackers from gaining privileged access or injecting malicious code.

RECOMMENDATION:

  • We recommend you to update Kirby to version 4.9.4 or 5.4.4.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-r3w8-2c5r-h9j9
https://github.com/advisories/GHSA-whxw-24jc-cwmv
https://github.com/advisories/GHSA-wr9h-4r83-f4v6
https://github.com/advisories/GHSA-rhj6-r49h-5932

[/emaillocker]
crossmenu