PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44177 getkirby CVE debrief

The Kirby content management system, in versions 5.3.0 and above but prior to 5.4.1, did not correctly validate user IDs, leading to a path traversal vulnerability. This issue allowed attackers to trigger arbitrary PHP file inclusion and probe for the existence of arbitrary directories on the server. The vulnerability was introduced as a performance improvement to the Users collection, loading user objects lazily when first needed. Users of Kirby versions 5.3.0 to 5.4.0 should update to version 5.4.1 to mitigate this vulnerability.

Vendor
getkirby
Product
kirby
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of Kirby versions 5.3.0 to 5.4.0, administrators, security teams, and operators of affected systems should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability was introduced in Kirby version 5.3.0 as a performance improvement to the Users collection. The improvement loaded user objects lazily when first needed, querying users by their ID, which was then used to locate the corresponding account directory under site/accounts. This affected the authentication API, the users API, and any other place that uses $users->find() to look up an individual user by a request-provided email or ID. The issue allows for arbitrary PHP file inclusion and probing for the existence of arbitrary directories on the server.

Defensive priority

High

Recommended defensive actions

  • Update Kirby to version 5.4.1 or later
  • Review and validate user input to prevent path traversal attacks
  • Monitor server logs for suspicious activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-16T22:17:02.103Z and has not been modified since then. The NVD entry is currently 8.8 HIGH. The vulnerability affects users of Kirby versions 5.3.0 to 5.4.0. Evidence is limited to public sources and may not be comprehensive.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T22:17:02.103Z and has not been modified since then.