Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites where a role has the pages.access permission disabled allowed authenticated users who know or guess page IDs or UUIDs to retrieve page information, including full content and metadata, for arbitrary published pages through the /api/site/find route without authorization to access those pages. This issue is fixed in versions 4.9.4 and 5.4.4.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-r3w8-2c5r-h9j9 | Kirby: `pages.access` permission is not checked in the `site/find` REST API route |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 09 Jul 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Getkirby
Getkirby kirby |
|
| Vendors & Products |
Getkirby
Getkirby kirby |
Thu, 09 Jul 2026 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites where a role has the pages.access permission disabled allowed authenticated users who know or guess page IDs or UUIDs to retrieve page information, including full content and metadata, for arbitrary published pages through the /api/site/find route without authorization to access those pages. This issue is fixed in versions 4.9.4 and 5.4.4. | |
| Title | Kirby: `pages.access` permission is not checked in the `site/find` REST API route | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T18:47:02.487Z
Reserved: 2026-06-11T16:34:11.635Z
Link: CVE-2026-54005
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-09T21:15:05Z
Weaknesses
Github GHSA