Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions — CVE-2026-42174
GitHub · GitHub · CVE-2026-42174
ID
CVE-2026-42174
CVE-2026-42174
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
5.3
5.3
EPSS
0.0003
0.0003
Summary
### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to update user information (`user.update` or `users.update` permission is disabled). This can be due to configuration in the blueprint(s) of the acting users, via `options` in the blueprint(s) of the target users or via a combination of both settings. Kirby sites are *not* affected if they intend all users of…
Product
composer: getkirby/cms
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.