Main Vulnerability Database Vulnerabilities #VU127197

Missing Authorization in Kirby - #VU127197

Published: April 23, 2026

Vulnerability identifier: #VU127197

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Ian Stewart

Affected software:
Kirby

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to missing authorization in the /api/system REST API endpoint when handling authenticated requests. A remote user can send a request to the endpoint to disclose sensitive information.

The exposed information includes the installed Kirby version and the status, type and code of the installed license.

Remediation

Install security update from vendor's website.

Sources

https://github.com/getkirby/kirby/security/advisories/GHSA-x68m-c7jf-2572

Missing Authorization in Kirby - #VU127197

Detailed vulnerability description

Remediation

Sources

Please verify you're human