Kirby CMS's read access to site, user and role information is not gated by permissions — CVE-2026-42069
GitHub · GitHub · CVE-2026-42069
ID
CVE-2026-42069
CVE-2026-42069
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.1
7.1
EPSS
0.0003
0.0003
Summary
### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. **This vulnerability is of high severity for affected sites.** Sites using Kirby are *not* affected if they intend all users of the site to be able to list and access the site model and all users and roles, including the content stored within these models. Write actions are *not*…
Product
composer: getkirby/cms
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.