CVE-2026-44176: Kirby CMS's `pages.access` permission is not checked during rendering of page drafts

May 26, 2026

In affected releases, Kirby allowed page drafts to be rendered if any valid user was authenticated, even if that user did not have access to the specific page model. Authenticated attackers with knowledge of the full path to an existing page draft could then access the rendered frontend page. This could lead to the disclosure of sensitive information, e.g. ahead of the launch of a new product or post.

References

github.com/advisories/GHSA-2xw4-v2wx-hqq9
github.com/getkirby/kirby/releases/tag/4.9.1
github.com/getkirby/kirby/releases/tag/5.4.1
github.com/getkirby/kirby/security/advisories/GHSA-2xw4-v2wx-hqq9
nvd.nist.gov/vuln/detail/CVE-2026-44176

Code Behaviors & Features

Detect and mitigate CVE-2026-44176 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →