Kirby CMS: auth bypass exposes restricted page drafts — MEDIUM (CVE-2026-44176)

Q: Is CVE-2026-44176 actively exploited?

No confirmed active exploitation of CVE-2026-44176 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-44176?

1. PATCH: Upgrade to Kirby 4.9.1 (4.x track) or Kirby 5.4.1 (5.x track) — both releases add a check verifying the requesting user has `pages.access` permission for the specific page model before rendering draft templates. 2. WORKAROUND (if patching is delayed): Temporarily revoke Panel and REST API access for all non-admin user roles until the patch is applied, or remove all draft content from the CMS pending upgrade. 3. DETECTION: Review web server access logs for authenticated GET requests to URLs containing draft page slugs from user accounts that should not have access to those page models. Kirby stores drafts in `_drafts` subdirectories in its content folder — flag requests to these paths from restricted-role sessions. 4. SCOPE VALIDATION: Confirm your specific deployment is affected by checking user blueprints for explicit `pages.access: false` entries; sites with no per-role page access restrictions are not vulnerable. 5. POST-PATCH VERIFICATION: Test that restricted-role authenticated requests to draft URLs return 403 after upgrading.

Q: What systems are affected by CVE-2026-44176?

This vulnerability affects the following AI/ML architecture patterns: AI content management and publication pipelines, ML research and model announcement portals, Multi-role CMS deployments managing pre-publication AI content, AI compliance documentation workflows.

Q: What is the CVSS score for CVE-2026-44176?

No CVSS score has been assigned yet.

CISO Take

Kirby CMS versions through 4.9.0 and 5.4.0 fail to enforce role-based `pages.access` permissions at the frontend path resolver level, meaning any authenticated user — regardless of role restrictions — can view page drafts they are explicitly prohibited from accessing simply by requesting the direct URL. For organizations using Kirby as a content management UI for AI-generated content, pre-publication research, or model announcement pages, this is an insider-threat and privilege-escalation scenario that bypasses the CMS's entire authorization model for draft content. With no public exploit, no CISA KEV listing, and a package risk score of 26/100, immediate exploitation at scale is unlikely — but the attack bar is trivially low for any authenticated user with knowledge of a draft URL path. Patch to Kirby 4.9.1 or 5.4.1 immediately; sites where all authenticated users are intended to see all drafts are not affected.

Sources: GitHub Advisory NVD OpenSSF

What is the risk?

Medium risk overall. Exploitability is low-moderate: requires an authenticated session (any role) and knowledge of the target draft URL, but no elevated privileges, special tooling, or AI/ML expertise whatsoever — a basic authenticated HTTP request suffices. Impact is confidentiality-only; write operations are explicitly unaffected by this vulnerability. Blast radius is scoped to deployments where Kirby role-based access is actively used to gate draft visibility, which is the primary purpose of the `pages.access` permission. OpenSSF scorecard of 7.1/10 indicates reasonable upstream security hygiene; the patch was released responsibly. With 469 downstream dependents this is not a niche package, but real-world AI/ML exposure depends heavily on whether Kirby is used to manage sensitive pre-publication AI content specifically.

Attack Kill Chain

Initial Access

Attacker authenticates to the Kirby CMS Panel or REST API using any valid low-privilege user account (e.g., a contractor editor with restricted content access).

AML.T0012

Reconnaissance

Attacker enumerates or guesses the full URL slug of a restricted page draft via predictable naming conventions, internal communications, or pattern inference from permitted content.

AML.T0049

Exploitation

Attacker sends an authenticated HTTP GET request directly to the draft page URL; Kirby's path resolver validates session presence but skips the `pages.access` permission check, rendering the full draft template.

AML.T0049

Impact

Pre-publication content — AI product announcements, compliance documentation, model research briefs, or pricing strategy pages — is disclosed to an unauthorized user, enabling competitive intelligence gathering or early disclosure of sensitive AI initiatives.

AML.T0036

Initial Access

Attacker authenticates to the Kirby CMS Panel or REST API using any valid low-privilege user account (e.g., a contractor editor with restricted content access).

AML.T0012

Reconnaissance

Attacker enumerates or guesses the full URL slug of a restricted page draft via predictable naming conventions, internal communications, or pattern inference from permitted content.

AML.T0049

Exploitation

Attacker sends an authenticated HTTP GET request directly to the draft page URL; Kirby's path resolver validates session presence but skips the `pages.access` permission check, rendering the full draft template.

AML.T0049

Impact

Pre-publication content — AI product announcements, compliance documentation, model research briefs, or pricing strategy pages — is disclosed to an unauthorized user, enabling competitive intelligence gathering or early disclosure of sensitive AI initiatives.

AML.T0036

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
getkirby/cms	composer	<= 4.9.0	`4.9.1`
5.7K OpenSSF 7.1 469 dependents Pushed 3d ago 86% patched ~0d to patch Full package profile →

Do you use getkirby/cms? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

PATCH

Upgrade to Kirby 4.9.1 (4.x track) or Kirby 5.4.1 (5.x track) — both releases add a check verifying the requesting user has pages.access permission for the specific page model before rendering draft templates.
WORKAROUND (if patching is delayed): Temporarily revoke Panel and REST API access for all non-admin user roles until the patch is applied, or remove all draft content from the CMS pending upgrade.
DETECTION

Review web server access logs for authenticated GET requests to URLs containing draft page slugs from user accounts that should not have access to those page models. Kirby stores drafts in _drafts subdirectories in its content folder — flag requests to these paths from restricted-role sessions.
SCOPE VALIDATION

Confirm your specific deployment is affected by checking user blueprints for explicit pages.access: false entries; sites with no per-role page access restrictions are not vulnerable.
POST-PATCH VERIFICATION: Test that restricted-role authenticated requests to draft URLs return 403 after upgrading.

Classification

Auth Bypass Data Leakage Framework AML.T0012 - Valid Accounts AML.T0036 - Data from Information Repositories AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.1 - AI system design and security objectives

NIST AI RMF

GOVERN 1.7 - Processes for AI risk and impact accountability

Frequently Asked Questions

What is CVE-2026-44176?

Kirby CMS versions through 4.9.0 and 5.4.0 fail to enforce role-based `pages.access` permissions at the frontend path resolver level, meaning any authenticated user — regardless of role restrictions — can view page drafts they are explicitly prohibited from accessing simply by requesting the direct URL. For organizations using Kirby as a content management UI for AI-generated content, pre-publication research, or model announcement pages, this is an insider-threat and privilege-escalation scenario that bypasses the CMS's entire authorization model for draft content. With no public exploit, no CISA KEV listing, and a package risk score of 26/100, immediate exploitation at scale is unlikely — but the attack bar is trivially low for any authenticated user with knowledge of a draft URL path. Patch to Kirby 4.9.1 or 5.4.1 immediately; sites where all authenticated users are intended to see all drafts are not affected.

Is CVE-2026-44176 actively exploited?

No confirmed active exploitation of CVE-2026-44176 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44176?

1. PATCH: Upgrade to Kirby 4.9.1 (4.x track) or Kirby 5.4.1 (5.x track) — both releases add a check verifying the requesting user has `pages.access` permission for the specific page model before rendering draft templates. 2. WORKAROUND (if patching is delayed): Temporarily revoke Panel and REST API access for all non-admin user roles until the patch is applied, or remove all draft content from the CMS pending upgrade. 3. DETECTION: Review web server access logs for authenticated GET requests to URLs containing draft page slugs from user accounts that should not have access to those page models. Kirby stores drafts in `_drafts` subdirectories in its content folder — flag requests to these paths from restricted-role sessions. 4. SCOPE VALIDATION: Confirm your specific deployment is affected by checking user blueprints for explicit `pages.access: false` entries; sites with no per-role page access restrictions are not vulnerable. 5. POST-PATCH VERIFICATION: Test that restricted-role authenticated requests to draft URLs return 403 after upgrading.

What systems are affected by CVE-2026-44176?

This vulnerability affects the following AI/ML architecture patterns: AI content management and publication pipelines, ML research and model announcement portals, Multi-role CMS deployments managing pre-publication AI content, AI compliance documentation workflows.

What is the CVSS score for CVE-2026-44176?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

AI content management and publication pipelinesML research and model announcement portalsMulti-role CMS deployments managing pre-publication AI contentAI compliance documentation workflows

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0036 Data from Information Repositories

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.1

NIST AI RMF: GOVERN 1.7

Technical Details

Original Advisory

### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), via `options` in the model blueprint(s) or via a combination of both settings. Kirby sites are *not* affected if they intend all users of the site to be able to access all page drafts of the site. The vulnerability can only be exploited by authenticated users. Write actions are *not* affected by this vulnerability. ---- ### Introduction Missing authorization allows authenticated users to perform actions they are not intended to have access to. The effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information. ### Affected components Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. Kirby provides the `pages.access` and `pages.list` permissions (among others). The `list` permission controls whether affected models appear in lists throughout the Panel and REST API. The `access` permission has the same effect but also disables direct access to the affected models. This vulnerability affects the path resolver for the main CMS router. The resolver takes an input path from the requested URL and determines which model (page or file) should be rendered. When a path is requested that points to a page draft, the resolver checks that the request either contains a valid preview token or is authenticated by a valid user. ### Impact In affected releases, Kirby allowed page drafts to be rendered if any valid user was authenticated, even if that user did not have access to the specific page model. Authenticated attackers with knowledge of the full path to an existing page draft could then access the rendered frontend page. This could lead to the disclosure of sensitive information, e.g. ahead of the launch of a new product or post. ### Patches The problem has been patched in [Kirby 4.9.1](https://github.com/getkirby/kirby/releases/tag/4.9.1) and [Kirby 5.4.1](https://github.com/getkirby/kirby/releases/tag/5.4.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In all of the mentioned releases, Kirby has added a check that verifies that the requested page draft is accessible to the current user before rendering the draft template. ### Credits Kirby thank to @adrgs for responsibly reporting the identified issue.

Exploitation Scenario

A contractor with a basic 'editor' role on a Kirby-powered AI product site has authenticated Panel access limited to managing blog content, but is restricted from the upcoming AI model launch pages via `pages.access: false` in their user blueprint. Before the patch, the contractor discovers or guesses the URL slug of a restricted product page in draft (e.g., `/new-model-announcement`) — possibly via URL patterns observed in their permitted content, leaked in an internal Slack message, or simply by trying predictable names. The contractor sends an authenticated browser request directly to the draft URL. Kirby's path resolver confirms they have a valid session and renders the full draft frontend page without checking the `pages.access` permission. The contractor reads the pre-publication AI product announcement, pricing strategy, or compliance roadmap. No exploit code is required — any standard browser session suffices.