VYPR
patchPublished Jun 18, 2026· Updated Jun 19, 2026· 1 source

Kirby CMS: Seven Bugs Patched in One Advisory, Including Critical Auth Bypass

Key findings • Critical CVE-2026-54003 allows unauthenticated admin creation via spoofed reverse proxy headers • Two CVEs bypass the pages.access permission in REST API and page picker • …

Key findings

  • Critical CVE-2026-54003 allows unauthenticated admin creation via spoofed reverse proxy headers
  • Two CVEs bypass the pages.access permission in REST API and page picker
  • Draft file URLs are exposed without authentication on Kirby 4 and Kirby 5 with fileRedirects enabled
  • Stored XSS in writer/list fields via incomplete HTML sanitization (CVE-2026-54002)
  • Self-XSS in writer field link targets (CVE-2026-49276)
  • Request header injection in HttpRemote class (CVE-2026-50188)

The Kirby CMS team published a coordinated security advisory on June 18, 2026, disclosing seven distinct vulnerabilities affecting both Kirby 4 and Kirby 5. The batch spans critical, high, and medium-severity issues — including an authentication bypass that could allow unauthenticated attackers to take over unconfigured Panel installations, multiple permission bypasses, cross-site scripting (XSS) flaws, and a request header injection bug. Users are urged to update to the latest patched versions immediately.

Critical: Unauthenticated Panel Initialization via Reverse Proxy Headers

The most severe issue, CVE-2026-54003 (CVSS 9.8, critical), affects Kirby sites that have no configured user accounts and are running behind a reverse proxy that sets the Forwarded, X-Client-IP, or X-Real-IP headers. An attacker can spoof these headers to trigger the Panel's first-user setup flow, effectively creating an admin account without any authentication. This is particularly dangerous for fresh installations or demo sites that have not yet created an admin user.

Permission Bypasses: pages.access and Draft File Access

Two CVEs address the same root cause — the pages.access permission not being enforced in certain API routes. CVE-2026-54005 (high) allows users without pages.access permission to retrieve page data via the site/find REST API route. CVE-2026-49274 (high) similarly bypasses the permission check in the pages picker for parent pages, potentially exposing the site tree to unauthorized users.

CVE-2026-54004 (medium) targets a different permission gap: on Kirby 5 sites with content.fileRedirects enabled (or all Kirby 4 sites, where the option is on by default), clean file URLs of top-level drafts — such as /about-us/team.jpg — are accessible without authentication. This leaks draft content that should remain private.

Cross-Site Scripting in the Writer Field and Sanitization

Two XSS bugs were disclosed. CVE-2026-54002 (high) stems from incomplete HTML/XML sanitization in Dom::sanitize() and related methods. Any site or plugin using the writer or list fields, or calling sanitization functions with untrusted input, is vulnerable to stored XSS.

CVE-2026-49276 (high) is a self-XSS in the writer field: an attacker can craft a link (or email link) whose target contains a scripting payload. The link becomes clickable by the user who entered it, though exploitation typically requires knowledge of the content structure.

Request Header Injection

CVE-2026-50188 (medium) affects the Kirby\Http\Remote class, which is used to send outgoing HTTP requests. If user-controlled data is passed into the headers option, an attacker can inject arbitrary headers — including Host, Authorization, or Cookie — into the outgoing request, potentially enabling request smuggling or credential theft.

Patch Status and Mitigation

The Kirby team has released patches for all seven CVEs. Users should upgrade to Kirby 5.0.2 or later, or Kirby 4.6.1 or later, depending on their version line. For sites that cannot immediately upgrade, the advisory recommends disabling content.fileRedirects (for CVE-2026-54004), ensuring at least one admin user is configured before exposing the Panel behind a reverse proxy (for CVE-2026-54003), and auditing any use of Kirby\Http\Remote with user-supplied header data.

Bottom Line

This batch is notable for its breadth — spanning authentication bypass, permission escalation, XSS, and injection — and for the critical severity of the reverse-proxy Panel initialization flaw. Kirby users, especially those running fresh installations or sites behind reverse proxies, should treat this advisory as urgent.

Synthesized by Vypr AI