CVE-2026-42069: Kirby CMS's read access to site, user and role information is not gated by permissions

Kirby’s user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/...). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/...) using the options feature. The permissions and options together control the authorization of user actions.

In affected releases, Kirby did not provide permission settings that control the access to the site model as well as to users and user roles. If the site developer disabled all permissions via the wildcard "*": false setting, this only disabled the actions that were explicitly gated by existing permissions.

To be specific, the following permissions were missing in affected releases and have been added in the patches:

• site.access
• user.access and users.access (for the own user and other users respectively)
• user.list and users.list (for the own user and other users respectively)

Access to role information such as the list of existing roles, their names and descriptions as well as their configured permissions were also not gated by user-based permissions.