What is CVE-2026-42174?

CVE-2026-42174 is a medium-severity vulnerability in Getkirby Kirby, classified under Missing Authorization. CVSS score: 4.3/10. Published 2026-05-09.

How severe is CVE-2026-42174?

Medium severity. CVSS v3 base score is 4.3 out of 10.

Auth bypass in Getkirby Kirby

CVE-2026-42174

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

Vulnerability class: Broken Access Control

EPSS: 0.000 (0.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

Affected products

Getkirby Kirby — versions < 4.9.0, >= 5.0.0, < 5.4.0

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

security-advisories@github.com (x_refsource_MISC, Release Notes)
security-advisories@github.com (x_refsource_MISC, Release Notes)
security-advisories@github.com (x_refsource_CONFIRM, Patch, Vendor Advisory)

Frequently asked questions

What is CVE-2026-42174?: CVE-2026-42174 is a medium-severity vulnerability in Getkirby Kirby, classified under Missing Authorization. CVSS score: 4.3/10. Published 2026-05-09.
How severe is CVE-2026-42174?: Medium severity. CVSS v3 base score is 4.3 out of 10.