Kirby CMS: auth bypass leaks admin emails via content lock — MEDIUM (CVE-2026-45334)

Q: Is CVE-2026-45334 actively exploited?

No confirmed active exploitation of CVE-2026-45334 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-45334?

1. Patch: upgrade getkirby/cms to ≥4.9.1 (Kirby 4.x branch) or ≥5.4.1 (Kirby 5.x branch). 2. Scope check: audit all files under site/blueprints/users/*.yml for any role configured with users.access: false or users.list: false — only those configurations are exposed. 3. Workaround if patching is delayed: temporarily disable content-locking or set all Panel roles to allow mutual user visibility until the patch is applied. 4. Detection: review Panel access logs for low-privilege role accounts receiving successful 200 responses from endpoints that include lock user payloads (look for repeated requests during active editing sessions from accounts not expected to view users). 5. Post-incident: if a low-privilege account may have been misused, treat all admin email addresses as potentially enumerated and consider phishing-awareness briefings for admin staff.

Q: What systems are affected by CVE-2026-45334?

This vulnerability affects the following AI/ML architecture patterns: CMS-backed AI content portals, AI governance documentation systems, ML model documentation pipelines, Web-based AI management interfaces.

Q: What is the CVSS score for CVE-2026-45334?

No CVSS score has been assigned yet.

CISO Take

Kirby CMS up to version 4.9.0 fails to enforce user-visibility permissions when returning content-lock payloads, allowing any authenticated low-privilege Panel user to silently harvest the email address and internal identifier of any administrator or editor who currently has content open for editing. With 469 downstream dependents and no public exploit code or KEV listing, opportunistic mass exploitation is unlikely today, but the harvested admin email addresses directly enable targeted spearphishing and credential-stuffing attacks against the Kirby installation or any external service where those admins reuse credentials — a low-noise, high-value reconnaissance primitive that leaves almost no forensic trace. Upgrade getkirby/cms to 4.9.1 or 5.4.1 immediately; installations where all Panel roles are already permitted to list each other are not affected and require no action.

Sources: GitHub Advisory NVD OpenSSF ATLAS

What is the risk?

Medium risk overall. Exploitation requires a pre-existing authenticated low-privilege account, which is a meaningful precondition, but once inside the Panel the attack is entirely passive — no writes, no anomalous payloads, just reading standard API responses. The default 10-minute content-lock window limits per-session exposure, but an attacker with persistent low-privilege access can poll continuously and enumerate all active admin accounts over time. No EPSS data is available and no public exploit exists, reducing near-term urgency, but the trivial post-authentication complexity and near-zero detection footprint warrant prompt patching rather than scheduled maintenance.

Attack Kill Chain

Initial Access

Attacker authenticates to Kirby Panel using a legitimately obtained low-privilege account belonging to a role configured with users.access: false or users.list: false.

AML.T0012

Exploitation

While a higher-privilege user has content open for editing (triggering a 10-minute content lock), the attacker makes standard Panel view requests that return lock payloads containing the locking user's identity without permission checks.

AML.T0049

Identity Harvesting

Attacker extracts admin email addresses and internal user IDs from unfiltered lock information across multiple editing sessions, building a complete enumeration of privileged accounts.

AML.T0087

Downstream Attack

Harvested admin emails are weaponized in targeted spearphishing campaigns or credential-stuffing attacks against the organization's AI infrastructure, cloud ML environments, or SaaS services.

AML.T0052

Initial Access

Attacker authenticates to Kirby Panel using a legitimately obtained low-privilege account belonging to a role configured with users.access: false or users.list: false.

AML.T0012

Exploitation

While a higher-privilege user has content open for editing (triggering a 10-minute content lock), the attacker makes standard Panel view requests that return lock payloads containing the locking user's identity without permission checks.

AML.T0049

Identity Harvesting

Attacker extracts admin email addresses and internal user IDs from unfiltered lock information across multiple editing sessions, building a complete enumeration of privileged accounts.

AML.T0087

Downstream Attack

Harvested admin emails are weaponized in targeted spearphishing campaigns or credential-stuffing attacks against the organization's AI infrastructure, cloud ML environments, or SaaS services.

AML.T0052

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
getkirby/cms	composer	<= 4.9.0	`4.9.1`
5.7K OpenSSF 7.1 469 dependents Pushed 4d ago 89% patched ~0d to patch Full package profile →

Do you use getkirby/cms? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch: upgrade getkirby/cms to ≥4.9.1 (Kirby 4.x branch) or ≥5.4.1 (Kirby 5.x branch).
Scope check: audit all files under site/blueprints/users/*.yml for any role configured with users.access: false or users.list: false — only those configurations are exposed.
Workaround if patching is delayed: temporarily disable content-locking or set all Panel roles to allow mutual user visibility until the patch is applied.
Detection: review Panel access logs for low-privilege role accounts receiving successful 200 responses from endpoints that include lock user payloads (look for repeated requests during active editing sessions from accounts not expected to view users).
Post-incident: if a low-privilege account may have been misused, treat all admin email addresses as potentially enumerated and consider phishing-awareness briefings for admin staff.

Classification

Data Extraction Privacy Violation Auth Bypass Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0052 - Phishing AML.T0087 - Gather Victim Identity Information

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - AI system security

NIST AI RMF

GOVERN 6.2 - Policies and procedures for AI risk management

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-45334?

Kirby CMS up to version 4.9.0 fails to enforce user-visibility permissions when returning content-lock payloads, allowing any authenticated low-privilege Panel user to silently harvest the email address and internal identifier of any administrator or editor who currently has content open for editing. With 469 downstream dependents and no public exploit code or KEV listing, opportunistic mass exploitation is unlikely today, but the harvested admin email addresses directly enable targeted spearphishing and credential-stuffing attacks against the Kirby installation or any external service where those admins reuse credentials — a low-noise, high-value reconnaissance primitive that leaves almost no forensic trace. Upgrade getkirby/cms to 4.9.1 or 5.4.1 immediately; installations where all Panel roles are already permitted to list each other are not affected and require no action.

Is CVE-2026-45334 actively exploited?

No confirmed active exploitation of CVE-2026-45334 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45334?

1. Patch: upgrade getkirby/cms to ≥4.9.1 (Kirby 4.x branch) or ≥5.4.1 (Kirby 5.x branch). 2. Scope check: audit all files under site/blueprints/users/*.yml for any role configured with users.access: false or users.list: false — only those configurations are exposed. 3. Workaround if patching is delayed: temporarily disable content-locking or set all Panel roles to allow mutual user visibility until the patch is applied. 4. Detection: review Panel access logs for low-privilege role accounts receiving successful 200 responses from endpoints that include lock user payloads (look for repeated requests during active editing sessions from accounts not expected to view users). 5. Post-incident: if a low-privilege account may have been misused, treat all admin email addresses as potentially enumerated and consider phishing-awareness briefings for admin staff.

What systems are affected by CVE-2026-45334?

This vulnerability affects the following AI/ML architecture patterns: CMS-backed AI content portals, AI governance documentation systems, ML model documentation pipelines, Web-based AI management interfaces.

What is the CVSS score for CVE-2026-45334?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

CMS-backed AI content portalsAI governance documentation systemsML model documentation pipelinesWeb-based AI management interfaces

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0052 Phishing

AML.T0087 Gather Victim Identity Information

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.3

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM02

Technical Details

Original Advisory

### TL;DR This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the `users.access` or `users.list` permissions. A site is affected if users of a particular role are not allowed to see other users in the Panel, for example because the role's blueprint sets `users.access: false` or `users.list: false` as permission for the authenticated user role and/or as option for the target user role. A Kirby site is *not* affected if all authenticated Panel users are permitted to access and list other users. The vulnerability can only be exploited by authenticated users. --- ### Introduction Missing authorization allows authenticated users to gain access to information they are not intended to see. The effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information. ### Affected components Kirby's user permissions control which user role is allowed to perform specific actions or access specific information in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). The `users.access` and `users.list` permissions control whether users of a given role are allowed to access and list other users in the Panel. It is also possible to customize the permissions for each target role using the `options` feature. The permissions and options together control the authorization of user actions. Kirby's Panel includes a content-locking feature that records which user currently has a model open for editing. This lock prevents conflicting edits by multiple users and displays the locking user's identity in the Panel UI so other users know who to contact. Internally, the locking user's email address and identifier are included in every Panel view payload and in error responses returned when a user attempts to edit a model that is currently locked by another user. ### Impact In affected releases, this lock information was returned without checking whether the requesting user had permission to access or list the locking user. This allowed a low-privilege authenticated Panel user, whose role was configured with `users.access: false` or `users.list: false`, to learn the email address and identifier of any user who currently had a model open for editing in the Panel, including administrators and other higher-privilege users. Content locks are active for a configurable window (10 minutes by default). The email address can allow to enumerate admin accounts, target phishing, and feed credential-stuffing attacks against the Kirby installation or other sites. The internal user ID can be cross-referenced with other endpoints once the requester has obtained a higher privilege through unrelated means. ### Patches The problem has been patched in [Kirby 4.9.1](https://github.com/getkirby/kirby/releases/tag/4.9.1) and [Kirby 5.4.1](https://github.com/getkirby/kirby/releases/tag/5.4.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In the mentioned releases, the lock information is now filtered based on the requesting user's permissions. The identity of the locking user is hidden when the requesting user does not have permission to access or list that user. ### Credits Kirby thanks Matteo Panzeri (@matte1782) for responsibly reporting the identified issue.

Exploitation Scenario

An attacker registers or compromises a low-privilege Kirby Panel account — for instance, a guest editor role configured with users.list: false. The attacker monitors for times when administrators are actively editing content, triggering the Panel's content-lock feature. By making ordinary Panel page-view requests during these windows, the attacker receives API responses containing the locking administrator's email address and user ID without any permission check. Repeating this across multiple editing sessions over days yields a complete enumeration of all admin accounts. The harvested emails are then used to launch targeted spearphishing campaigns impersonating Kirby update notifications, or fed into credential-stuffing tools against cloud ML platforms and SaaS services the admins are known to use.