{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40099", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T01:41:38.536Z", "datePublished": "2026-04-24T00:34:02.125Z", "dateUpdated": "2026-04-25T01:41:56.640Z"}, "containers": {"cna": {"title": "Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r"}, {"name": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0"}, {"name": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0"}], "affected": [{"vendor": "getkirby", "product": "kirby", "versions": [{"version": "< 4.9.0", "status": "affected"}, {"version": ">= 5.0.0, < 5.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T00:34:02.125Z"}, "descriptions": [{"lang": "en", "value": "Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts."}], "source": {"advisory": "GHSA-w942-j9r6-hr6r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-25T01:41:45.982848Z", "id": "CVE-2026-40099", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:41:56.640Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40099", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-25T01:41:45.982848Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:41:50.543Z"}}], "cna": {"title": "Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter", "source": {"advisory": "GHSA-w942-j9r6-hr6r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "getkirby", "product": "kirby", "versions": [{"status": "affected", "version": "< 4.9.0"}, {"status": "affected", "version": ">= 5.0.0, < 5.4.0"}]}], "references": [{"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r", "name": "https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "name": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "name": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T00:34:02.125Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40099", "state": "PUBLISHED", "dateUpdated": "2026-04-25T01:41:56.640Z", "dateReserved": "2026-04-09T01:41:38.536Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T00:34:02.125Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*", "matchCriteriaId": "1BB5394F-37F9-4A53-9CE7-79548F674886", "versionEndExcluding": "4.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2D943B9-CD71-45FE-A1A4-158603C3502E", "versionEndExcluding": "5.4.0", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts."}], "id": "CVE-2026-40099", "lastModified": "2026-04-27T19:12:30.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T01:16:12.273", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.9.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "kirby", "source": "cna", "vendor": "getkirby"}, "product": "kirby", "vendor": "getkirby"}], "analysis": {"en": {"generated_at": "2026-04-28T07:04:45.017637+00:00", "value": {"mitigation_remediation": ["Upgrade Kirby to at least version 4.9.0 or 5.4.0 where the isDraft check is enforced during page creation", "Verify that roles which do not require publishing capabilities are not granted the pages.changeStatus permission", "Review API access controls to ensure that the isDraft parameter cannot be set to true by unauthenticated or low\u2011privilege users", "Test content creation workflows after patching to confirm that published pages cannot be bypassed through the API"], "summary": {"action": "Patch immediately", "impact": "Unauthorized publishing of pages by bypassing the changeStatus permission"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the Kirby content management system running a version earlier than 4.9.0 or 5.4.0. Users who have configured roles with only the pages.create permission\u2014without also granting pages.changeStatus\u2014are at risk because the API does not check for the latter during page creation.", "description_and_impact": "Kirby\u2019s page creation API incorrectly allows the isDraft flag to be overridden, enabling any authenticated user with the pages.create permission to publish pages directly. Because the changeStatus permission is not enforced at page creation time, an attacker can add content that bypasses the normal editorial workflow and immediately makes it visible to all users. This can lead to accidental exposure of incomplete or inappropriate content and can be leveraged by malicious attackers to inject or modify site content without the oversight normally provided by editorial reviews.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity while the EPSS score of less than 1% suggests that exploitation is unlikely at this time. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers must first authenticate and obtain the pages.create permission, then use the REST API\u2019s unfiltered isDraft parameter to create a published page. Once posted, the page is immediately visible to all site visitors, providing an efficient vector for content injection or misinformation. The risk is highest when user roles are overly permissive or the CMS is exposed to a large user base."}}}}, "created": "2026-04-27T21:15:05.348446+00:00", "updated": "2026-04-28T07:15:19.372441+00:00", "vendors": ["getkirby", "getkirby$PRODUCT$kirby"]}