Introduction
An authenticated user in Kirby CMS can bypass content creation restrictions by injecting a crafted blueprint parameter into API requests, effectively overriding the permissions that site administrators configured for their roles. For organizations that rely on Kirby's role based access controls to enforce least privilege across editorial teams, this vulnerability quietly undermines the entire authorization model for content and user creation.
Kirby is an open source, file based content management system maintained by Content Folder GmbH & Co. KG. It has been commercially self funded and profitable for over a decade, serving a niche but loyal user base of developers and agencies who prefer its flat file architecture over database driven CMS platforms. Kirby's Panel (its administrative interface) is where this vulnerability surfaces, making it relevant to any deployment that exposes the Panel to multiple user roles with varying permission levels.
Technical Information
Kirby controls user authorization through a layered blueprint system. Permissions are defined at two levels: in user blueprints (located at site/blueprints/users/...) which govern what each role can do, and in model blueprints (such as site/blueprints/pages/...) which use an options feature to customize permissions for specific target models. Together, these two layers determine whether a given user is authorized to perform actions like pages.create, files.create, or users.create.
Root Cause
The root cause of CVE-2026-41325 is an improper authorization check (CWE-863) in the normalization code that processes creation requests for pages, files, and users. In vulnerable versions, the application does not filter the blueprint property from incoming request data. This means an authenticated attacker can include a crafted blueprint parameter in a creation API call that contains dynamic blueprint configuration, specifically setting the create option to true.
When the application processes this request, it merges the injected blueprint configuration into the model data. The injected options then take precedence over the permissions and options that the site developer configured in the user and model blueprints. The result is that a user whose role should be denied the ability to create pages, files, or users can bypass that restriction entirely.
Attack Flow
- An attacker authenticates to the Kirby Panel with a low privilege account whose role is explicitly restricted from creating certain content types (pages, files, or users).
- The attacker crafts a creation request to the relevant API endpoint (for pages, files, or users) and injects a
blueprintproperty into the request payload. - The injected blueprint contains dynamic configuration that sets the
createoption totrue. - The server side normalization code processes the request without filtering the
blueprintproperty, allowing the injected configuration to override the developer defined restrictions. - The creation action succeeds despite the user's role being configured to deny it.
CVSS Scoring
| Standard | Base Score | Severity | Vector |
|---|---|---|---|
| CVSS v4.0 | 7.1 | High | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CVSS v3.0 | 4.3 | Medium | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
The CVSS v4 score accurately reflects the high integrity impact of the flaw, whereas the v3 scoring system rates it as Medium. The impact is strictly limited to integrity; there is no direct risk to confidentiality or availability.
Configuration Dependency
It is worth noting that the exposure is highly dependent on configuration. Sites are only vulnerable if they intentionally restrict certain user roles from creating content or users. If a site allows all authenticated users to create pages, files, and users, it is not affected by this vulnerability.
Affected Systems and Versions
| Branch | Vulnerable Versions | Fixed Version |
|---|---|---|
| v4 | 4.8.0 and prior | 4.9.0 |
| v5 | 5.0.0 through 5.3.3 | 5.4.0 |
Organizations on the v4 branch can apply the backported fix without a major version upgrade, while those on v5 should move directly to 5.4.0. The vulnerability specifically affects deployments where the Kirby Panel is accessible and role based permissions restrict content or user creation for certain roles.
Vendor Security History
Kirby maintains a mature security posture with a publicly documented security policy and a clear history of coordinated disclosures. The vendor provides long term support: the v5 branch receives security updates until June 2028 and the v4 branch is supported until November 2026. They encourage responsible disclosure through a dedicated security email address and provide a GPG key for encrypted communications. They actively backport security fixes to older major versions.
The 5.4.0 release that patches CVE-2026-41325 also addresses several other significant security flaws:
| Vulnerability Type | Severity | Advisory Reference |
|---|---|---|
| Server Side Template Injection | High | GHSA-jcjw-58rv-c452 |
| Create Permission Bypass | High | GHSA-6gqr-mx34-wh8r |
| Access List Permission Bypass | High | GHSA-85x2-r8xv-ww8c |
| XML Injection | Medium | GHSA-9wfj-c55w-j9qr |
This clustering of fixes in a single release suggests the vendor may have conducted a broader security review or responded to findings from multiple researchers in a coordinated disclosure cycle.
