CVE-2026-42137: Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API

Kirby’s user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/...). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/...) using the options feature. The permissions and options together control the authorization of user actions.

Kirby provides the pages.access, pages.list, files.access and files.list permissions (among others). The list permissions control whether affected models appear in lists throughout the Panel and REST API. The access permissions have the same effect but also disable direct access to the affected models.

In affected releases, Kirby did not consistently hide non-listable models (models for which the respective access or list permission was disabled) in the following scenarios:

• The changes dialog in the Panel listed changed models even if they were not listable.
• The REST API respected the permissions during direct model access, but did not consistently filter collections as well as related models that are included in the API responses for convenience. This includes:
• missing permission checks for children, drafts, files, parents and siblings of pages,
• missing permission checks for parents and siblings (next/nextWithTemplate , prev/prevWithTemplate) of files,
• missing permission checks for children, drafts and files of the site model,
• missing permission checks for files of users,
• incorrect permission checks for pages.access instead of pages.list for the site and pages children and search routes and
• incorrect permission checks for files.access instead of files.list for the account, site, pages and users files and search routes,
• The Panel images for site, pages and users were displayed in lists of the parent model even if the image files were not listable.
• The link targets for the previous and next files in the files view were not gated by the files being listable.