CVE-2026-49274: Panel missing auth exposes

Q: Is CVE-2026-49274 actively exploited?

No confirmed active exploitation of CVE-2026-49274 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-49274?

1. Patch immediately: upgrade to Kirby 4.9.4 (v4 branch) or Kirby 5.4.4 (v5 branch) or any later release — both add server-side validation that the requested parent page or site is accessible to the current user before returning picker data. 2. If patching is not immediately possible, restrict Kirby panel access to the minimum set of trusted users and revoke credentials for any accounts with elevated role assignments that are no longer required. 3. Review all user blueprints (site/blueprints/users/) and model blueprints (site/blueprints/pages/) to ensure pages.access and pages.list permissions are correctly scoped per role. 4. Monitor panel REST API logs for unusual pages picker requests enumerating paths outside normal editorial workflows. 5. Run composer audit to identify any transitive exposure to this version in downstream dependencies.

Q: What systems are affected by CVE-2026-49274?

This vulnerability affects the following AI/ML architecture patterns: AI model documentation platforms, AI-powered content management backends, Internal knowledge bases with role-based access control.

Q: What is the CVSS score for CVE-2026-49274?

No CVSS score has been assigned yet.

CISO Take

Kirby CMS versions up to 4.9.3 contain a missing authorization flaw (CWE-862) in the pages field picker backend, allowing any authenticated user — regardless of their assigned role — to confirm the existence of arbitrary pages and retrieve their titles by supplying a known page path directly to the picker API. With 479 downstream dependents and 35 historical CVEs in the same package, organizations using Kirby to manage content for AI-powered platforms or internal documentation portals should assess their exposure. Exploitation requires a valid authenticated session, no public exploit exists, and the CVE is absent from CISA KEV, limiting immediate urgency. Patch to Kirby 4.9.4 or 5.4.4 immediately; if patching is delayed, restrict panel access to the minimum necessary set of authenticated users and audit role blueprints to enforce least-privilege.

Sources: GitHub Advisory NVD OpenSSF ATLAS

What is the risk?

Medium risk. Exploitation requires a valid authenticated session — unauthenticated attackers cannot leverage this remotely without credential access first. The impact is bounded to information disclosure: page existence confirmation and title retrieval only, with no write capability exposed. No public exploits exist, EPSS data is unavailable, and the CVE is not in CISA KEV. The pattern of 35 historical CVEs in getkirby/cms and an OpenSSF Scorecard of 6.6/10 signal persistent authorization hygiene weaknesses in this package, warranting elevated monitoring even as this specific finding carries moderate severity.

How does the attack unfold?

Initial Access

Attacker authenticates to the Kirby CMS panel using valid low-privilege credentials obtained through credential theft, phishing, or a compromised shared account.

AML.T0012

Exploitation

Attacker crafts direct API requests to the pages picker backend, supplying arbitrary page slug paths as the parent parameter, bypassing server-side access validation.

AML.T0049

Reconnaissance

Attacker iterates over guessed or inferred page paths to enumerate the hidden content structure and harvest restricted page title values.

AML.T0025

Impact

Sensitive page metadata — titles and existence of access-restricted content such as AI governance documents or internal security policies — is disclosed, enabling targeted follow-on attacks.

Initial Access

Attacker authenticates to the Kirby CMS panel using valid low-privilege credentials obtained through credential theft, phishing, or a compromised shared account.

AML.T0012

Exploitation

Attacker crafts direct API requests to the pages picker backend, supplying arbitrary page slug paths as the parent parameter, bypassing server-side access validation.

AML.T0049

Reconnaissance

Attacker iterates over guessed or inferred page paths to enumerate the hidden content structure and harvest restricted page title values.

AML.T0025

Impact

Sensitive page metadata — titles and existence of access-restricted content such as AI governance documents or internal security policies — is disclosed, enabling targeted follow-on attacks.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Panel	composer	<= 4.9.3	`4.9.4`
5.7K OpenSSF 6.6 479 dependents Pushed 5d ago 60% patched ~5d to patch Full package profile →

Do you use Panel? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch immediately: upgrade to Kirby 4.9.4 (v4 branch) or Kirby 5.4.4 (v5 branch) or any later release — both add server-side validation that the requested parent page or site is accessible to the current user before returning picker data.
If patching is not immediately possible, restrict Kirby panel access to the minimum set of trusted users and revoke credentials for any accounts with elevated role assignments that are no longer required.
Review all user blueprints (site/blueprints/users/) and model blueprints (site/blueprints/pages/) to ensure pages.access and pages.list permissions are correctly scoped per role.
Monitor panel REST API logs for unusual pages picker requests enumerating paths outside normal editorial workflows.
Run composer audit to identify any transitive exposure to this version in downstream dependencies.

How is it classified?

Auth Bypass Data Leakage Framework AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2 - Roles and responsibilities for AI systems

NIST AI RMF

GOVERN 1.2 - Accountability structures are in place

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-49274?

Kirby CMS versions up to 4.9.3 contain a missing authorization flaw (CWE-862) in the pages field picker backend, allowing any authenticated user — regardless of their assigned role — to confirm the existence of arbitrary pages and retrieve their titles by supplying a known page path directly to the picker API. With 479 downstream dependents and 35 historical CVEs in the same package, organizations using Kirby to manage content for AI-powered platforms or internal documentation portals should assess their exposure. Exploitation requires a valid authenticated session, no public exploit exists, and the CVE is absent from CISA KEV, limiting immediate urgency. Patch to Kirby 4.9.4 or 5.4.4 immediately; if patching is delayed, restrict panel access to the minimum necessary set of authenticated users and audit role blueprints to enforce least-privilege.

Is CVE-2026-49274 actively exploited?

No confirmed active exploitation of CVE-2026-49274 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-49274?

1. Patch immediately: upgrade to Kirby 4.9.4 (v4 branch) or Kirby 5.4.4 (v5 branch) or any later release — both add server-side validation that the requested parent page or site is accessible to the current user before returning picker data. 2. If patching is not immediately possible, restrict Kirby panel access to the minimum set of trusted users and revoke credentials for any accounts with elevated role assignments that are no longer required. 3. Review all user blueprints (site/blueprints/users/) and model blueprints (site/blueprints/pages/) to ensure pages.access and pages.list permissions are correctly scoped per role. 4. Monitor panel REST API logs for unusual pages picker requests enumerating paths outside normal editorial workflows. 5. Run composer audit to identify any transitive exposure to this version in downstream dependencies.

What systems are affected by CVE-2026-49274?

This vulnerability affects the following AI/ML architecture patterns: AI model documentation platforms, AI-powered content management backends, Internal knowledge bases with role-based access control.

What is the CVSS score for CVE-2026-49274?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI model documentation platformsAI-powered content management backendsInternal knowledge bases with role-based access control

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2

NIST AI RMF: GOVERN 1.2

OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

### TL;DR This vulnerability affects all Kirby sites that use the `pages` field and where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model blueprint(s), or a combination of both settings. It was possible to confirm the existence of arbitrary pages and to retrieve the value of the title field of the pages found. The vulnerability can only be exploited by authenticated users. Write actions are *not* affected by this vulnerability. ---- ### Introduction Missing authorization allows authenticated users to perform actions they are not intended to have access to. The effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information. ### Affected components Kirby's user permissions control which user role is allowed to perform specific actions on content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. Kirby provides the `pages.access` and `pages.list` permissions (among others). The `list` permission controls whether affected models appear in lists throughout the Panel and REST API. The `access` permission has the same effect but also disables direct access to the affected models. This vulnerability affects the backend logic for the page picker that is used in the `pages` field to select pages. The picker is opened based on a user-provided parent page or the site model. ### Impact In affected releases, the backend logic did not validate that the user-provided parent page or site was accessible to the current user. This allowed authenticated attackers with knowledge of the full path to an existing page to confirm the existence of a particular page and to retrieve the value of the title field of that page. This could lead to the disclosure of sensitive information. ### Patches The problem has been patched in [Kirby 4.9.4](https://github.com/getkirby/kirby/releases/tag/4.9.4) and [Kirby 5.4.4](https://github.com/getkirby/kirby/releases/tag/5.4.4). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In all of the mentioned releases, we have added a check verifying that the requested parent page or site is accessible to the current user before returning the picker data.

Exploitation Scenario

An authenticated attacker with a low-privilege editor role in a Kirby-powered CMS — restricted from accessing certain page branches containing, for example, AI system documentation or internal security policies — crafts direct HTTP requests to the pages picker API endpoint, supplying the full slug path of a restricted page as the parent parameter. Because the backend does not validate whether the requesting user holds pages.access permission for that parent, the server returns picker data including the restricted page's title. The attacker iterates over known or guessed page slugs (drawn from public URL patterns, sitemap leakage, or prior reconnaissance) to systematically map the hidden content structure, building a target list for subsequent social engineering, credential theft, or escalation attempts against higher-privileged users who do have access.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.