CVE-2026-45334: Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions

In affected releases, this lock information was returned without checking whether the requesting user had permission to access or list the locking user.

This allowed a low-privilege authenticated Panel user, whose role was configured with users.access: false or users.list: false, to learn the email address and identifier of any user who currently had a model open for editing in the Panel, including administrators and other higher-privilege users. Content locks are active for a configurable window (10 minutes by default).

The email address can allow to enumerate admin accounts, target phishing, and feed credential-stuffing attacks against the Kirby installation or other sites.

The internal user ID can be cross-referenced with other endpoints once the requester has obtained a higher privilege through unrelated means.