Auth bypass in Getkirby Kirby

CVE-2026-40099

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`si…

Vulnerability class: Broken Access Control

EPSS: 0.000 (8.3th percentile) — read the EPSS interpretation.

Affected products

Getkirby Kirby — versions < 4.9.0, >= 5.0.0, < 5.4.0

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r (x_refsource_CONFIRM)
https://github.com/getkirby/kirby/releases/tag/4.9.0 (x_refsource_MISC)
https://github.com/getkirby/kirby/releases/tag/5.4.0 (x_refsource_MISC)