Missing Authorization in Kirby - CVE-2026-44176
Published: May 22, 2026
Vulnerability identifier: #VU132143
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-44176
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ian Stewart
Affected software:
Kirby
Kirby
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the main CMS router path resolver when rendering page drafts from a requested URL path. A remote user can request the full path to an existing page draft to disclose sensitive information.
Exploitation requires authentication and knowledge of the full path to an existing page draft. Write actions are not affected.
How to mitigate CVE-2026-44176
Install security update from vendor's website.