CVE-2026-42051: Kirby CMS's system API endpoint leaks installed version and license data to authenticated users

Kirby’s user permissions control which user role is allowed to perform specific actions in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/...). The permissions control the authorization of user actions (with handling of model-specific authorization omitted here for brevity).

Kirby provides the access.system permission (among others) that controls access to the system area of the Kirby Panel. This area contains internal system information like the installed Kirby, plugin and server versions, security state and Kirby license. If the access.system permission is disabled for a user role, users of that role should not be able to access this internal system information. However it is also possible to access some system information via the /api/system REST API endpoint. In affected releases, the response of this endpoint for authenticated users contained the installed Kirby version and the status, type and code of the installed Kirby license. These values are considered sensitive information and should be protected by the access.system permission.

The installed Kirby version and license data can be used by malicious actors during reconnaissance when planning a separate attack.