Kirby is missing permission checks in the content changes API

説明

TL;DR

This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content.

If developers haven't configured any user permissions that deviate from the default of allowing all actions, their site is not affected.


Introduction

Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions.

Permissions for updating content have already existed and could be configured for each model type, but were not enforced by Kirby's API backend code during operations to the changes version.

The changes version is the content version that contains unsaved changes of existing models (pages, users, files or the site).

Impact

The missing permission checks allowed attackers with Panel access to create or discard a changes version or update the content fields in an existing changes version. All of these actions could affect arbitrary models.

This could cause the following impact:

  • Attackers could maliciously create changes versions for all models of the site, creating editing locks that would prevent other authenticated users from making content changes until those locks were cleared.
  • Attackers could update the content in a malicious way, for example by adding defamatory or spam content or by including malicious links or scripts. While this updated content would not immediately be published to the site, an inattentive editor with update permissions could inadvertently publish these changes in the belief that an authorized user has made them.
  • Attackers could discard extensive changes, making editors lose their content work.

Patches

The problem has been patched in Kirby 5.2.2. Please update to this or a later version to fix the vulnerability.

In the mentioned release, we have added checks for the model update permissions that ensure that users without this permission cannot create, edit or discard the changes version of the respective model.

A future Kirby release will add separate edit and save permissions that will make it possible to control write actions to model content more granularly.

Credits

Thanks to Lukas Kleinschmidt (@lukaskleinschmidt) for responsibly reporting the identified issue.

基本情報

タイプ
reviewed
深刻度
medium
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2026-01-08 20:32:05 UTC
更新
2026-01-08 20:32:07 UTC
GitHub レビュー済み
2026-01-08 20:32:05 UTC
NVD で公開
2026-01-08

EPSS Score

Score Percentile
0.03% 7.99%

CVSS Scores

Base score Version Severity Vector
5.8 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N クリックして展開
攻撃ベクター (AV:N)
インターネットや社内 WAN など、ルーティングされたネットワーク越しに遠隔から踏み台にしうる。
攻撃の複雑さ (AC:L)
手順が短く、再現性が高い。
攻撃要件 (AT:P)
特定のミドルウェア状態やデータ配置など、追加前提が揃わないと成立しない。
必要な権限 (PR:L)
一般ユーザー権限で足り、管理者は不要。
ユーザーの関与 (UI:A)
設定変更やマクロ有効化など、意図的な操作がトリガーになる。
脆弱システムの機密性への影響 (VC:N)
脆弱な対象から機微情報が読まれうる余地はほとんどない。
脆弱システムの完全性への影響 (VI:H)
監査ログの改竄や広範なデータ偽装など、信頼根拠を崩す水準。
脆弱システムの可用性への影響 (VA:L)
遅延や断続的障害、一部機能の停止など、運用で吸収しうる範囲。
後続システムの機密性への影響 (SC:N)
脆弱点を経由して下流の機微情報が読まれうる余地はほとんどない。
後続システムの完全性への影響 (SI:N)
下流の記録や設定が歪められる局面はほとんど想定されない。
後続システムの可用性への影響 (SA:N)
下流サービスが止まるほどの影響は想定しにくい。

Identifiers

CWEs

CWE id Name
CWE-863 Incorrect Authorization

Credits

  • lukaskleinschmidt (finder)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer getkirby/cms >= 5.0.0, <= 5.2.1 5.2.2

References

cvelogic Threat Intelligence