CVE-2026-54003: Panel admin takeover

CISO Take

Kirby CMS versions prior to 4.9.4 and 5.4.4 allow any remote unauthenticated attacker to create the first admin user account on freshly deployed instances sitting behind a reverse proxy that sets `Forwarded:`, `X-Client-IP`, or `X-Real-IP` headers — the installation endpoint's `isLocal` check fails to evaluate these headers, incorrectly treating external requests as originating locally. The blast radius is highest for automated CI/CD and container-based deployments that spin up Kirby instances without immediately provisioning an admin account, leaving the installation endpoint exposed to the internet; 479 downstream dependents and 35 historical CVEs on this package (OpenSSF: 6.6/10) signal a systemic security hygiene concern worth escalating. Exploitation is trivial — a single crafted HTTP POST to the installation endpoint suffices, no credentials or specialized tooling required. Upgrade to Kirby 4.9.4 or 5.4.4 immediately; if patching is blocked, create an admin account now to deactivate the vulnerable code path, or disable the Panel and API entirely via `config.php`.

Sources: GitHub Advisory (GHSA-whxw-24jc-cwmv) NVD OpenSSF ATLAS

What is the risk?

Critical risk for any Kirby deployment that simultaneously (1) has no existing admin users, (2) runs behind a reverse proxy using `Forwarded:`, `X-Client-IP`, or `X-Real-IP` headers, and (3) is publicly accessible. The vulnerability is trivially exploitable with zero authentication barrier and no specialized knowledge required. Sites already configured with at least one admin account are completely unaffected, significantly narrowing but not eliminating the exposed population. Cloud-native and containerized deployments are disproportionately at risk, as ephemeral environments frequently start without seeded admin accounts. No public exploit or active exploitation reported at time of analysis, but the simplicity of the attack means weaponization is trivial.

How does the attack unfold?

Reconnaissance

Attacker scans for publicly accessible Kirby CMS instances rendering the installation screen, a reliable signal that no admin account exists and the installation endpoint is active.

AML.T0006

Initial Access

Attacker sends a crafted HTTP POST to the Kirby installation endpoint; the `isLocal` check fails to evaluate the `Forwarded:`, `X-Client-IP`, or `X-Real-IP` header set by the reverse proxy, incorrectly treating the external request as local.

AML.T0049

Privilege Escalation

Attacker creates the first admin user account on the Kirby installation, gaining full authenticated control over the Panel interface and REST API.

AML.T0012

Impact

Admin access enables malicious plugin or template upload for server-side code execution, content manipulation, credential harvesting, and lateral movement into connected AI/ML backend infrastructure.

AML.T0048

Reconnaissance

Attacker scans for publicly accessible Kirby CMS instances rendering the installation screen, a reliable signal that no admin account exists and the installation endpoint is active.

AML.T0006

Initial Access

Attacker sends a crafted HTTP POST to the Kirby installation endpoint; the `isLocal` check fails to evaluate the `Forwarded:`, `X-Client-IP`, or `X-Real-IP` header set by the reverse proxy, incorrectly treating the external request as local.

AML.T0049

Privilege Escalation

Attacker creates the first admin user account on the Kirby installation, gaining full authenticated control over the Panel interface and REST API.

AML.T0012

Impact

Admin access enables malicious plugin or template upload for server-side code execution, content manipulation, credential harvesting, and lateral movement into connected AI/ML backend infrastructure.

AML.T0048

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Panel	composer	<= 4.9.3	`4.9.4`
5.7K OpenSSF 6.6 479 dependents Pushed 5d ago 60% patched ~5d to patch Full package profile →

Do you use Panel? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Immediate: Upgrade to Kirby 4.9.4 or 5.4.4 or a later release.
If upgrade is blocked: create an admin account manually via local access to deactivate the vulnerable installation code path — once any account exists, the vulnerability is inert.
Alternatively, disable both Panel and REST API with 'panel' => ['enabled' => false] and 'api' => false in config.php.
Audit reverse proxy configurations to confirm which forwarding header is in use (Forwarded:, X-Client-IP, X-Real-IP) and verify patched versions correctly reject external IPs from all of them.
Review web server access logs for unexpected POST requests to Panel installation endpoints (e.g., /panel/install) from external IPs as indicators of attempted exploitation.
Enforce network-level access controls: Panel and API endpoints should not be publicly reachable unless operationally required.

How is it classified?

Auth Bypass Code Execution API Framework AML.T0012 - Valid Accounts AML.T0021 - Establish Accounts AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Segregation of duties

NIST AI RMF

GOVERN 1.1 - Policies and procedures for AI risk

Frequently Asked Questions

What is CVE-2026-54003?

Kirby CMS versions prior to 4.9.4 and 5.4.4 allow any remote unauthenticated attacker to create the first admin user account on freshly deployed instances sitting behind a reverse proxy that sets `Forwarded:`, `X-Client-IP`, or `X-Real-IP` headers — the installation endpoint's `isLocal` check fails to evaluate these headers, incorrectly treating external requests as originating locally. The blast radius is highest for automated CI/CD and container-based deployments that spin up Kirby instances without immediately provisioning an admin account, leaving the installation endpoint exposed to the internet; 479 downstream dependents and 35 historical CVEs on this package (OpenSSF: 6.6/10) signal a systemic security hygiene concern worth escalating. Exploitation is trivial — a single crafted HTTP POST to the installation endpoint suffices, no credentials or specialized tooling required. Upgrade to Kirby 4.9.4 or 5.4.4 immediately; if patching is blocked, create an admin account now to deactivate the vulnerable code path, or disable the Panel and API entirely via `config.php`.

Is CVE-2026-54003 actively exploited?

No confirmed active exploitation of CVE-2026-54003 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54003?

1. Immediate: Upgrade to Kirby 4.9.4 or 5.4.4 or a later release. 2. If upgrade is blocked: create an admin account manually via local access to deactivate the vulnerable installation code path — once any account exists, the vulnerability is inert. 3. Alternatively, disable both Panel and REST API with `'panel' => ['enabled' => false]` and `'api' => false` in `config.php`. 4. Audit reverse proxy configurations to confirm which forwarding header is in use (`Forwarded:`, `X-Client-IP`, `X-Real-IP`) and verify patched versions correctly reject external IPs from all of them. 5. Review web server access logs for unexpected POST requests to Panel installation endpoints (e.g., `/panel/install`) from external IPs as indicators of attempted exploitation. 6. Enforce network-level access controls: Panel and API endpoints should not be publicly reachable unless operationally required.

What systems are affected by CVE-2026-54003?

This vulnerability affects the following AI/ML architecture patterns: ML documentation and content portals, AI compliance and governance dashboards, Dataset catalogue and annotation platforms, Content management backends for AI/ML projects, API-integrated ML data ingestion pipelines.

What is the CVSS score for CVE-2026-54003?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

ML documentation and content portalsAI compliance and governance dashboardsDataset catalogue and annotation platformsContent management backends for AI/ML projectsAPI-integrated ML data ingestion pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0021 Establish Accounts

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.2

NIST AI RMF: GOVERN 1.1

What are the technical details?

Original Advisory

### TL;DR This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` request header. It was possible to install the Panel (= create the first admin user) in these setups even from remote IP addresses. **This vulnerability is of critical severity for affected sites.** Your site is *not* affected if any of the following apply: - An admin account has already been configured - The Panel and API are disabled - The site is not running behind a reverse proxy - The reverse proxy sets the `X-Forwarded-For` or `Client-IP` header instead of the affected ones. ---- ### Introduction External Initialization is a type of vulnerability that allows attackers to initialize a system or configuration value without authentication. This can give untrusted actors access to the system or let them control its behavior. ### Affected components The Kirby Panel and REST API are authenticated by local user accounts. If a Kirby installation does not yet have any users, it first needs to be installed. During the installation process, an initial admin user account is created. To protect against external initialization attacks that would allow untrusted actors to create an admin user for the Kirby installation, Kirby already checked whether the current request came from a local IP address. This allows installing the Panel in local development setups. Installation on remote servers was only supposed to be possible when the `panel.install` configuration option was enabled. The `isLocal` check takes all relevant request headers into account and treats a request as non-local as soon as any checked request header contains an external IP address. ### Impact In affected releases, the `isLocal` check for the installation logic did not properly take the `Forwarded: for=...` header into account. This header is set by modern reverse proxy servers. It also did not take into account the `X-Client-IP` or `X-Real-IP` headers, which are set by some custom reverse proxy setups. This caused Kirby to falsely assume that an installation request was local and allowed creating an admin account even though the reverse proxy forwarded the request from an external IP address. Reverse proxies setting the `X-Forwarded-For` or `Client-IP` headers were *not* affected. These headers were already properly checked for external IP addresses. ### Patches The problem has been patched in [Kirby 4.9.4](https://github.com/getkirby/kirby/releases/tag/4.9.4) and [Kirby 5.4.4](https://github.com/getkirby/kirby/releases/tag/5.4.4). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In all of the mentioned releases, we fixed the `isLocal` check to also properly take `Forwarded: for=...`, `X-Client-IP` and `X-Real-IP` request headers into account. ### Workarounds Sites on older Kirby versions (Kirby 3 starting at 3.7.0) can be protected with one of the following workarounds: - Perform the Panel installation yourself by creating an initial admin account. As soon as one or more accounts are present, the vulnerable installation code is no longer active. - If you don't need the Panel, disable the REST API with the `'api' => false` option in `config.php`. ### Credits Thanks to Peter Levashov (@petersevera) for responsibly reporting the identified issue.

Exploitation Scenario

An adversary running automated CMS fingerprinting sweeps (via Shodan, Censys, or custom HTTP probes) identifies a publicly accessible Kirby instance rendering an installation screen — a reliable signal that no admin account exists. The target sits behind a modern reverse proxy (nginx, Traefik, Caddy) configured to inject a `Forwarded: for=<external-IP>` header. The attacker sends a single POST request to the Kirby installation endpoint with chosen credentials; Kirby's `isLocal` check evaluates `X-Forwarded-For` (clean) but ignores the `Forwarded:` header, classifying the request as local and creating the attacker-controlled admin account. Within minutes, the attacker uploads a malicious Kirby plugin achieving server-side code execution, pivots to the database containing AI model metadata or compliance evidence packs, and establishes persistence before any defender detects the anomalous account creation.

Weaknesses (CWE)

CWE-454 External Initialization of Trusted Variables or Data Stores Primary

CWE-454 — External Initialization of Trusted Variables or Data Stores: The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

[Implementation] A product system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary.
[Architecture and Design] Avoid any external control of variables. If necessary, restrict the variables that can be modified using an allowlist, and use a different namespace or naming convention if possible.

Source: MITRE CWE corpus.