PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45334 getkirby CVE debrief

A vulnerability in Kirby, an open-source content management system, allowed low-privilege authenticated users to learn the email address and identifier of any user who currently had a model open for editing in the Panel. This issue has been fixed in versions 4.9.1 and 5.4.1. The vulnerability affects Kirby installations with low-privilege authenticated Panel users, who could exploit this issue to learn sensitive information about other users. The issue has a medium severity and CVSS score of 5.3.

Vendor
getkirby
Product
kirby
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of Kirby CMS, especially those with low-privilege authenticated Panel users, should be aware of this vulnerability and take steps to upgrade to a patched version. Affected operators should review user roles and permissions, and security teams should monitor for suspicious activity. Platform administrators should verify that their installations are not exposed and plan vendor-supported updates or mitigations.

Technical summary

The content-locking feature in Kirby returned lock information without checking the requesting user's access permissions. This allowed low-privilege authenticated Panel users to learn the email address and identifier of any user who currently had a model open for editing in the Panel, including administrators and other higher-privilege users. The vulnerability affects Kirby installations with low-privilege authenticated Panel users and has been fixed in versions 4.9.1 and 5.4.1.

Defensive priority

Medium priority, as it allows for admin account enumeration, target phishing, and feed credential-stuffing attacks.

Recommended defensive actions

  • Upgrade to Kirby version 4.9.1 or 5.4.1
  • Review and adjust user roles and permissions
  • Monitor for suspicious activity
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-16T22:17:02.550Z and has not been modified since then. The NVD entry is currently 5.3 (MEDIUM). The content-locking feature in Kirby returned lock information without checking the requesting user's access permissions, allowing low-privilege authenticated Panel users to learn the email address and identifier of any user who currently had a model open for editing in the Panel. This issue has been fixed in versions 4.9.1 and 5.4.1. Evidence limits suggest that defenders verify affected Kirby installations and review user roles and permissions.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T22:17:02.550Z and has not been modified since then.