CVE-2026-54004: Kirby: Access to files of top-level drafts is not protected by permissions

In affected releases, the clean file redirects didn’t take access logic for drafts into account. When a file stored in a draft page was accessed via its clean file URL, Kirby immediately redirected to the physical media URL without first checking whether the draft page was accessible to the user or visitor. This only affected top-level drafts (direct children of the site) because clean file URLs currently don’t work for drafts that are nested under another page.

The unauthorized clean file URL redirects for files in top-level drafts can lead to disclosure of sensitive information or data, e.g., ahead of the launch of a new product or post.

A successful attack requires knowledge of the full path to the draft page and file, and therefore requires knowing the full clean file URL.