CVE-2026-50188: Panel CRLF injection overrides

Q: Is CVE-2026-50188 actively exploited?

No confirmed active exploitation of CVE-2026-50188 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-50188?

1. **Patch immediately on next maintenance window**: Upgrade `getkirby/cms` to 4.9.4 (Kirby 4.x) or 5.4.4 (Kirby 5.x). Both versions strip CR and LF characters from header values before passing them to cURL. 2. **Audit custom code and plugins**: Search your codebase for all calls to `Remote::request()`, `Remote::get()`, `Remote::post()`, and similar helpers. Trace whether any header value originates from user input, request parameters, form fields, or database content. 3. **Interim workaround**: If immediate patching is not possible, sanitize header values before passing them: `$value = str_replace(["\r", "\n"], '', $userInput);`. 4. **Review plugin dependencies**: Check installed Kirby plugins for their `getkirby/cms` version constraint; many plugins may transitively depend on the vulnerable version. 5. **Detection**: Review access logs on upstream AI/ML services for unexpected or duplicate Authorization headers, unusual request patterns from your Kirby server's IP, or API calls with tokens not issued by your application. There is no runtime detection method on the Kirby side without a WAF inspecting raw outgoing HTTP.

Q: What systems are affected by CVE-2026-50188?

This vulnerability affects the following AI/ML architecture patterns: web-based ML UIs and dashboards, AI API proxy and gateway layers, LLM provider integrations via CMS plugins, multi-tenant AI application backends.

Q: What is the CVSS score for CVE-2026-50188?

No CVSS score has been assigned yet.

CISO Take

Kirby CMS's HTTP client class fails to strip carriage-return/line-feed characters from header values before forwarding them to cURL, allowing an attacker who controls any portion of an outgoing request header to inject additional, arbitrary headers — including overriding sensitive ones like Authorization or Cookie. For teams using Kirby as a web UI layer atop AI/ML backends (LLM APIs, vector databases, inference endpoints), this means a crafted input could silently replace API credentials in outbound calls or smuggle forged metadata to upstream services, without any footprint on the Kirby server itself. Exploitation is non-trivial in practice — it requires a custom code path or plugin that routes user-supplied data into a Remote class header value, which Kirby's own core does not do by default — but the 479 downstream Composer dependents widen the attack surface considerably across the ecosystem. No public exploit exists, no EPSS data is available, and the issue is not in CISA KEV, so immediate emergency patching is not warranted; teams should schedule an upgrade to Kirby 4.9.4 or 5.4.4 in their next maintenance window and audit any custom plugins or integrations that call Remote with user-influenced header values.

Sources: GitHub Advisory OpenSSF ATLAS NVD

What is the risk?

Overall risk is LOW-TO-MEDIUM for most deployments. The vulnerability requires a specific, non-default code pattern: user-controlled data must reach the `headers` option of a `Remote` request. Kirby core does not expose this path, so only custom integrations or third-party plugins are vulnerable. With 479 downstream Composer dependents, at least some will have written such integrations — particularly those building AI API proxy layers or webhook forwarders on top of Kirby. No public exploit code, no active exploitation evidence, and no EPSS score are available, reducing urgency. The impact ceiling is significant if an Authorization or Cookie header can be overridden in a call to a downstream AI service, but achieving this requires an attacker to know exactly which header key is being set and to have write access to its value.

How does the attack unfold?

Initial Access

Attacker identifies a Kirby-powered AI application feature that accepts user-supplied input (e.g., a custom API token or tracking identifier) and passes it unsanitized into a Remote class HTTP request header.

AML.T0049

Injection

Attacker crafts a header value containing CRLF characters (\r\n) followed by a second header name and value, such as injecting a forged Authorization header targeting an upstream LLM API.

Credential Abuse

The Kirby server's outgoing cURL request emits the injected header to the upstream AI service, overriding the legitimate Authorization credential and authenticating as a different user or with an attacker-controlled token.

AML.T0091.000

Impact

Attacker gains unauthorized access to downstream AI API resources — consuming quota billed to the victim, exfiltrating LLM responses containing other users' data, or probing the AI service using the victim's identity.

AML.T0106

Initial Access

Attacker identifies a Kirby-powered AI application feature that accepts user-supplied input (e.g., a custom API token or tracking identifier) and passes it unsanitized into a Remote class HTTP request header.

AML.T0049

Injection

Attacker crafts a header value containing CRLF characters (\r\n) followed by a second header name and value, such as injecting a forged Authorization header targeting an upstream LLM API.

Credential Abuse

The Kirby server's outgoing cURL request emits the injected header to the upstream AI service, overriding the legitimate Authorization credential and authenticating as a different user or with an attacker-controlled token.

AML.T0091.000

Impact

Attacker gains unauthorized access to downstream AI API resources — consuming quota billed to the victim, exfiltrating LLM responses containing other users' data, or probing the AI service using the victim's identity.

AML.T0106

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Panel	composer	<= 4.9.3	`4.9.4`
5.7K OpenSSF 6.6 479 dependents Pushed 5d ago 60% patched ~5d to patch Full package profile →

Do you use Panel? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch immediately on next maintenance window

Upgrade getkirby/cms to 4.9.4 (Kirby 4.x) or 5.4.4 (Kirby 5.x). Both versions strip CR and LF characters from header values before passing them to cURL.
Audit custom code and plugins

Search your codebase for all calls to Remote::request(), Remote::get(), Remote::post(), and similar helpers. Trace whether any header value originates from user input, request parameters, form fields, or database content.
Interim workaround

If immediate patching is not possible, sanitize header values before passing them: $value = str_replace(["\r", "\n"], '', $userInput);.
Review plugin dependencies

Check installed Kirby plugins for their getkirby/cms version constraint; many plugins may transitively depend on the vulnerable version.
Detection

Review access logs on upstream AI/ML services for unexpected or duplicate Authorization headers, unusual request patterns from your Kirby server's IP, or API calls with tokens not issued by your application. There is no runtime detection method on the Kirby side without a WAF inspecting raw outgoing HTTP.

How is it classified?

Auth Bypass Data Leakage Plugin API AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0091.000 - Application Access Token AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2 - AI system input data

NIST AI RMF

MS-2.5 - Practices for managing AI risks from dependencies

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-50188?

Kirby CMS's HTTP client class fails to strip carriage-return/line-feed characters from header values before forwarding them to cURL, allowing an attacker who controls any portion of an outgoing request header to inject additional, arbitrary headers — including overriding sensitive ones like Authorization or Cookie. For teams using Kirby as a web UI layer atop AI/ML backends (LLM APIs, vector databases, inference endpoints), this means a crafted input could silently replace API credentials in outbound calls or smuggle forged metadata to upstream services, without any footprint on the Kirby server itself. Exploitation is non-trivial in practice — it requires a custom code path or plugin that routes user-supplied data into a Remote class header value, which Kirby's own core does not do by default — but the 479 downstream Composer dependents widen the attack surface considerably across the ecosystem. No public exploit exists, no EPSS data is available, and the issue is not in CISA KEV, so immediate emergency patching is not warranted; teams should schedule an upgrade to Kirby 4.9.4 or 5.4.4 in their next maintenance window and audit any custom plugins or integrations that call Remote with user-influenced header values.

Is CVE-2026-50188 actively exploited?

No confirmed active exploitation of CVE-2026-50188 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-50188?

1. **Patch immediately on next maintenance window**: Upgrade `getkirby/cms` to 4.9.4 (Kirby 4.x) or 5.4.4 (Kirby 5.x). Both versions strip CR and LF characters from header values before passing them to cURL. 2. **Audit custom code and plugins**: Search your codebase for all calls to `Remote::request()`, `Remote::get()`, `Remote::post()`, and similar helpers. Trace whether any header value originates from user input, request parameters, form fields, or database content. 3. **Interim workaround**: If immediate patching is not possible, sanitize header values before passing them: `$value = str_replace(["\r", "\n"], '', $userInput);`. 4. **Review plugin dependencies**: Check installed Kirby plugins for their `getkirby/cms` version constraint; many plugins may transitively depend on the vulnerable version. 5. **Detection**: Review access logs on upstream AI/ML services for unexpected or duplicate Authorization headers, unusual request patterns from your Kirby server's IP, or API calls with tokens not issued by your application. There is no runtime detection method on the Kirby side without a WAF inspecting raw outgoing HTTP.

What systems are affected by CVE-2026-50188?

This vulnerability affects the following AI/ML architecture patterns: web-based ML UIs and dashboards, AI API proxy and gateway layers, LLM provider integrations via CMS plugins, multi-tenant AI application backends.

What is the CVSS score for CVE-2026-50188?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

web-based ML UIs and dashboardsAI API proxy and gateway layersLLM provider integrations via CMS pluginsmulti-tenant AI application backends

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0091.000 Application Access Token

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

### TL;DR This vulnerability affects Kirby sites and plugins that use the `Kirby\Http\Remote` class (including `Remote::request()`, `Remote::get()`, `Remote::post()`, and similar helpers) to send outgoing HTTP requests and that pass untrusted, user-controlled data into the `headers` option of such a request. By including newline characters in the value of the header, it was possible to inject a separate, independent header that was not intended to be set. A successful attack requires that an application or plugin forwards attacker-influenced input into a request header value. Sites that only send static, developer-defined headers are *not* affected. The attack does not target Panel users or site visitors directly; it targets the remote service that Kirby connects to. In Kirby's default configuration, the `Remote` class is not exposed to untrusted input, so a default installation is *not* affected. The vulnerability becomes relevant for custom code, plugins, or integrations that build request headers from user input. ---- ### Introduction HTTP header injection (also known as CRLF injection) is a type of vulnerability that allows an attacker to insert additional, attacker-controlled HTTP headers into a request or response. HTTP headers are separated by carriage-return and line-feed characters (`\r\n`). If untrusted data containing these characters is placed into a header value without sanitization, an attacker can terminate the intended header early and append headers of their own. For outgoing requests, this means an attacker who controls part of a header value can add or override headers that the application did not intend to send. Depending on the remote service, this can be used to override security-relevant headers (such as `Authorization`, `Host`, or `Cookie`), to smuggle requests, or to poison caches on the upstream system. Such vulnerabilities are relevant if untrusted input can reach the header values of an outgoing request – for example, a user-configurable API token, a forwarded tracking identifier, or any other value that originates from a request, form field, or content file. ### Affected components The `Kirby\Http\Remote` class is used throughout Kirby and by plugins to perform outgoing HTTP requests. Its `headers` option allows callers to define the headers sent with the request. As the vulnerability is in the way `Remote` assembles these headers, it affects all code paths that send a `Remote` request whose header values contain untrusted data. The Kirby core itself has not passed untrusted data in that way, but plugins or custom code might have used the class in such a way. ### Impact In affected releases, header values passed to `Remote` were handed to the cURL request library without removing newline characters: The `headers` option accepted arbitrary strings as header values and forwarded them to the underlying cURL request unchanged. A value containing `\r\n` was written verbatim to the socket and therefore split into several header lines on the wire. For example, a single `X-Foo` header value of `"Bar\r\nX-Injected: pwned"` produced two separate headers in the outgoing request: ``` X-Foo: Bar X-Injected: pwned ``` The receiving server parsed `X-Injected: pwned` as its own header. In the same way, an attacker could override a header that the application set earlier in the same request (for example, replacing a legitimate `Authorization` header). The vulnerability allows attackers to inject or override HTTP headers in outgoing requests, provided the affected application or plugin includes attacker-controlled data in a header value. ### Patches The problem has been patched in [Kirby 4.9.4](https://github.com/getkirby/kirby/releases/tag/4.9.4) and [Kirby 5.4.4](https://github.com/getkirby/kirby/releases/tag/5.4.4). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In all of the mentioned releases, we now strip carriage-return and line-feed characters from header values before they are passed to the underlying request, preventing additional headers from being injected.

Exploitation Scenario

An adversary targeting an AI-powered SaaS product built on Kirby identifies a feature where users can configure a custom API token for an LLM provider integration. The application accepts the user-supplied token and passes it into the `Authorization` header of an outgoing `Remote::post()` call to the OpenAI API. The attacker sets their 'token' to `sk-legittoken\r\nAuthorization: Bearer sk-stolen-other-user-token`, causing the cURL request to emit two `Authorization` headers. Depending on cURL and server behavior, the second header may override the first, causing the outgoing request to authenticate with a different user's token. The attacker can then consume AI API quota billed to that user, exfiltrate the model's responses (which may include that user's private prompts or data), or probe the downstream service for weaknesses — all while appearing as a legitimate application request from the Kirby server.

Weaknesses (CWE)

CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') Primary CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') Primary

CWE-113 — Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'): The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

[Implementation] Construct HTTP headers very carefully, avoiding the use of non-validated input data.
[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. If an input does not strictly conform to specifications, reject it or transform it into something that conforms. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, den

Source: MITRE CWE corpus.