Main Vulnerability Database Vulnerabilities #VU127195

Incorrect authorization in Kirby - CVE-2026-40099

Published: April 23, 2026

Vulnerability identifier: #VU127195

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-40099

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Ian Stewart

Affected software:
Kirby

Detailed vulnerability description

The vulnerability allows a remote user to create published pages without authorization.

The vulnerability exists due to incorrect authorization in the page creation API when handling page creation requests with an overridden isDraft parameter. A remote user can send a crafted API request to create published pages without authorization.

The issue affects sites where users are allowed to create pages but are not allowed to change page status.

How to mitigate CVE-2026-40099

Install security update from vendor's website.

Incorrect authorization in Kirby - CVE-2026-40099

Detailed vulnerability description

How to mitigate CVE-2026-40099

Sources

Please verify you're human