CVE-2026-44174: Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints

May 26, 2026

In affected releases, Kirby did not validate the model attributes that were used in the collection queries. This allowed attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password() (disclosing the password hash) or root() (disclosing the absolute filesystem path on the server) as well as methods that perform impactful actions such as loginPasswordless() (causing a privilege escalation to another user) or delete() (deleting all queried models in one go if the authenticated user has appropriate permissions).

References

github.com/advisories/GHSA-86rh-h242-j8xp
github.com/getkirby/kirby/releases/tag/4.9.1
github.com/getkirby/kirby/releases/tag/5.4.1
github.com/getkirby/kirby/security/advisories/GHSA-86rh-h242-j8xp
nvd.nist.gov/vuln/detail/CVE-2026-44174

Code Behaviors & Features

Detect and mitigate CVE-2026-44174 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →