Login Sign Up

CVE-2026-21896

5.7 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability allows users with restricted permissions to bypass intended write restrictions in Kirby CMS. Attackers with authenticated access can modify site content even when their role is configured to prevent updates. It affects Kirby sites running versions 5.0.0 through 5.2.1 where custom user permissions have been configured.

💻 Affected Systems

Products:
  • Kirby CMS
Versions: 5.0.0 to 5.2.1
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only affects sites where user permissions have been explicitly configured to restrict write access. Default configurations are not vulnerable.

📦 What is this software?

Kirby by Getkirby

View all CVEs affecting Kirby →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious authenticated users could deface websites, inject malicious content, or compromise site integrity by modifying critical content they shouldn't have access to.

🟠

Likely Case

Users with restricted permissions could accidentally or intentionally modify content they're not authorized to change, leading to data integrity issues.

🟢

If Mitigated

With proper access controls and monitoring, unauthorized changes could be detected and rolled back before causing significant damage.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but minimal technical skill once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.2

Vendor Advisory: https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f

Restart Required: No

Instructions:

1. Backup your Kirby site. 2. Update Kirby to version 5.2.2 via composer: 'composer require getkirby/cms:^5.2.2'. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Temporary Permission Review

all

Review and temporarily adjust user permissions to ensure no users have unintended access levels while planning the update.

🧯 If You Can't Patch

  • Implement strict access controls and monitor all content changes through logging
  • Consider temporarily disabling content modification features for restricted users

🔍 How to Verify

Check if Vulnerable:

Check Kirby version in composer.json or via Kirby panel. If version is between 5.0.0 and 5.2.1 and custom permissions are configured, the site is vulnerable.

Check Version:

Check composer.json for 'getkirby/cms' version or view Kirby panel system information

Verify Fix Applied:

Verify Kirby version is 5.2.2 or higher and test that restricted users cannot modify content they shouldn't have access to.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected content modifications by users with restricted permissions
  • API calls to content changes endpoints from unauthorized users

Network Indicators:

  • POST requests to Kirby content API endpoints from restricted user accounts

SIEM Query:

source="kirby_logs" AND (event="content_modified" OR event="api_call") AND user_role="restricted"

📊 Metadata

CVE ID: CVE-2026-21896
CVSS v3 Score: 5.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-863
EPSS Score: 0.03% exploit probability (6.4th percentile)
Published: January 8, 2026
Last Updated: February 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21896, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)