Auth bypass in Getkirby Kirby

CVE-2026-49274

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or…

Vulnerability class: Broken Access Control

Affected products

Weakness classification (CWE)

References