PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49274 getkirby CVE debrief

The CVE record for CVE-2026-49274 was published on 2026-07-09T19:17:05.490Z and remains unchanged. The NVD entry is currently Deferred. This Kirby CMS vulnerability allows authenticated users to check for the existence of arbitrary pages and retrieve their title field values due to a flaw in the pages field when roles have the pages.access permission disabled. Users of Kirby CMS versions prior to 4.9.4 and 5.4.4 with specific role configurations should be aware of this issue. The CVSS score is 5.3, indicating a medium severity vulnerability.

Vendor
getkirby
Product
kirby
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of Kirby CMS versions prior to 4.9.4 and 5.4.4 who have the pages.access permission disabled for certain roles should be aware of this issue. This includes operators managing content, platform administrators responsible for role configurations, vulnerability management teams assessing exposure, and security teams monitoring for potential exploitation. They should review role permissions, monitor for suspicious activity, and plan for remediation.

Technical summary

Kirby CMS versions prior to 4.9.4 and 5.4.4 have a vulnerability in the pages field that allows authenticated users to check for the existence of arbitrary pages and retrieve their title field values, even if they do not have access to the page. This issue arises when roles have the pages.access permission disabled. The vulnerability can lead to unauthorized information disclosure. The CVSS score of 5.3 indicates a medium severity vulnerability. Defenders should review role permissions and monitor for suspicious activity related to page existence checks and title retrieval. Compensating controls and monitoring can help mitigate the vulnerability while remediation is scheduled and verified.

Defensive priority

Medium priority due to the CVSS score of 5.3 and the potential for unauthorized information disclosure. Defenders should review role permissions and monitor for suspicious activity related to page existence checks and title retrieval. Compensating controls and monitoring can help mitigate the vulnerability while remediation is scheduled and verified. Asset inventory and rollback/change windows can also aid in remediation efforts. Tracking exceptions and retesting remediated assets is crucial before closing the item. The vulnerability has a medium severity, and defenders should prioritize remediation based on their environment's exposure and potential impact. The Kirby CMS community and users should review and adjust role permissions for pages.access to prevent exploitation. Additionally, defenders should check relevant monitoring, detection, and logs for exposed assets that need extra review. The CVE record and NVD entry provide some context, but further investigation is necessary to fully understand the issue. The vulnerability is fixed in versions 4.9.4 and 5.4.4. Users should plan vendor-supported updates or mitigations through normal change control where exposure is confirmed. Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up. Review compensating controls for exposed systems while remediation is scheduled and verified. Track exceptions, retest remediated assets, and close the item only after evidence is documented. The vulnerability allows authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue can lead to unauthorized information disclosure, emphasizing the need for prompt remediation and mitigation. The Kirby CMS vulnerability highlights the importance of proper role configuration and access control. Defenders should be aware of the potential risks and take necessary precautions to prevent exploitation. The vulnerability is a result of the pages field not properly handling roles with disabled pages.access permission, allowing authenticated users to exploit this weakness. To prevent

Recommended defensive actions

  • Upgrade to Kirby CMS version 4.9.4 or 5.4.4
  • Review and adjust role permissions for pages.access
  • Monitor for suspicious activity related to page existence checks and title retrieval
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and NVD entry provide limited information about the vulnerability. Further investigation and review of the Kirby CMS codebase and documentation are necessary to fully understand the issue. Evidence is limited, and defenders should verify the affected scope and vendor guidance. The vulnerability affects Kirby CMS versions prior to 4.9.4 and 5.4.4. The pages field vulnerability allows authenticated users to check for arbitrary page existence and retrieve title field values.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T19:17:05.490Z and has not been modified since then. The NVD entry is currently Deferred.