CVE-2026-34587

High

Published: 24 April 2026

Published

24 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0003 8.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34587 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Getkirby Kirby. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for page creation actions via REST API, preventing bypass of changeStatus permission and unauthorized publication of pages.

AC-6 Least Privilege good match

prevent

Applies least privilege to restrict users with pages.create permission from overriding isDraft flag without explicit changeStatus authorization.

AC-5 Separation of Duties partial match

prevent

Enforces separation of duties between page creation and status change to maintain the intended draft-to-publish editorial workflow.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Authorization bypass in public-facing CMS REST API directly enables exploitation of the web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in…

the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). In affected releases, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has updated the `Options` logic to no longer double-resolve queries in option values coming from `OptionsQuery` or `OptionsApi` sources. Kirby now only resolves queries that are directly configured in the blueprints.

Deeper analysisAI

CVE-2026-34587 is a high-severity authorization vulnerability (CVSS 3.1 score of 8.1; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) affecting Kirby, an open-source content management system. In versions prior to 4.9.0 and 5.4.0, Kirby's user permissions for actions like `pages.create` and `pages.changeStatus` are defined in user and model blueprints and checked independently. However, the `pages.changeStatus` permission does not apply during page creation via the REST API, which allows overriding the default `isDraft` flag.

Authenticated attackers with the `pages.create` permission can exploit this by creating new pages directly as published via the REST API, bypassing the standard editorial workflow that requires drafts to be published separately through the Kirby Panel. This enables unauthorized publication of content, potentially leading to high confidentiality and integrity impacts, such as exposing or altering sensitive pages without proper review. The issue is linked to CWE-1336 (incorrect authorization).

Mitigation is available in Kirby 4.9.0 and 5.4.0, where the permissions logic has been updated to enforce `changeStatus` checks during API-based page creation. The Kirby security advisory (GHSA-jcjw-58rv-c452) and release notes for versions 4.9.0 and 5.4.0 detail the patch, which also refines the `Options` logic to prevent double-resolving queries from `OptionsQuery` or `OptionsApi` sources, ensuring only directly configured blueprint queries are resolved. Administrators should upgrade immediately and review user roles with `pages.create` permissions.

Details

CWE(s): CWE-1336

Affected Products

getkirby

kirby

≤ 4.9.0 · 5.0.0 — 5.4.0

CVEs Like This One

CVE-2026-32870Same product: Getkirby Kirby

CVE-2026-41325Same product: Getkirby Kirby

CVE-2025-49828Shared CWE-1336

CVE-2025-53909Shared CWE-1336

CVE-2026-21448Shared CWE-1336

CVE-2025-59340Shared CWE-1336

CVE-2025-67843Shared CWE-1336

CVE-2025-60355Shared CWE-1336

CVE-2026-28695Shared CWE-1336

CVE-2026-21450Shared CWE-1336

References

https://github.com/getkirby/kirby/releases/tag/4.9.0
Release Notes · security-advisories@github.com
https://github.com/getkirby/kirby/releases/tag/5.4.0
Release Notes · security-advisories@github.com
https://github.com/getkirby/kirby/security/advisories/GHSA-jcjw-58rv-c452
Patch, Vendor Advisory · security-advisories@github.com