Main Vulnerability Database Vulnerabilities #VU127194

Incorrect authorization in Kirby - CVE-2026-41325

Published: April 23, 2026

Vulnerability identifier: #VU127194

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-41325

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Ian Stewart

Affected software:
Kirby

Detailed vulnerability description

The vulnerability allows a remote user to bypass create permission checks and create pages, files, or users.

The vulnerability exists due to incorrect authorization in page, file, and user creation APIs when processing a crafted blueprint parameter in creation requests. A remote user can inject custom dynamic blueprint configuration to bypass create permission checks and create pages, files, or users.

The issue affects sites where the relevant create permission is disabled in user blueprints, model blueprints, or both.

How to mitigate CVE-2026-41325

Install security update from vendor's website.

Incorrect authorization in Kirby - CVE-2026-41325

Detailed vulnerability description

How to mitigate CVE-2026-41325

Sources

Please verify you're human