External Initialization of Trusted Variables or Data Stores in Kirby - CVE-2020-26253
Published: December 2, 2020 / Updated: April 23, 2026
Vulnerability identifier: #VU127186
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-26253
CWE-ID: CWE-454
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ian Stewart
Affected software:
Kirby
Kirby
Detailed vulnerability description
The vulnerability allows a remote attacker to register the first panel account and gain administrative access.
The vulnerability exists due to external initialization of trusted variables or data stores in the panel installation block when determining whether the site is local on .dev domains or behind some reverse proxy setups. A remote attacker can access the panel registration flow before the legitimate administrator to register the first panel account and gain administrative access.
Exploitation is only possible if no panel account has been created yet.
How to mitigate CVE-2020-26253
Install security update from vendor's website.