Missing Authorization in Kirby - CVE-2026-45334
Published: May 22, 2026
Vulnerability identifier: #VU132137
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-45334
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ian Stewart
Affected software:
Kirby
Kirby
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to missing authorization in the content-locking feature when returning Panel view payloads and lock-related error responses. A remote user can access lock information for users they are not permitted to access or list to disclose sensitive information.
Exploitation requires an authenticated Panel account and affects sites that restrict user visibility with the users.access or users.list permissions. Only users who currently have a model open for editing are exposed, and lock records remain active for a configurable period of 10 minutes by default.
How to mitigate CVE-2026-45334
Install security update from vendor's website.