PatchSiren cyber security CVE debrief
CVE-2026-54003 getkirby CVE debrief
A critical vulnerability exists in Kirby, an open-source content management system. Versions prior to 4.9.4 and from 5.4.4 are affected by a vulnerability that allows remote attackers to install the Panel and create the first admin user on publicly accessible servers behind a reverse proxy. The issue arises from incorrect trust in Forwarded, X-Client-IP, or X-Real-IP request headers for local-IP checks. This vulnerability is particularly dangerous for sites with no configured user accounts that are accessible to the public and rely on reverse proxy settings for IP validation.
- Vendor
- getkirby
- Product
- kirby
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Administrators and users of Kirby sites, especially those running on publicly accessible servers, should be aware of this vulnerability. Sites with no configured user accounts are potentially vulnerable if they rely on reverse proxy settings for IP validation. It is crucial for these administrators to take immediate action to protect their sites.
Technical summary
The vulnerability in Kirby allows remote attackers to bypass local-IP checks by manipulating request headers, particularly Forwarded, X-Client-IP, or X-Real-IP. This is especially dangerous for sites accessible to the public and relying on reverse proxies for IP validation. The issue arises because Kirby incorrectly trusts these headers for local-IP checks, potentially allowing attackers to install the Panel and create the first admin user. The vulnerability has been addressed in Kirby versions 4.9.4 and 5.4.4. Sites with no configured user accounts are at risk if they run on publicly accessible servers behind a reverse proxy.
Defensive priority
High
Recommended defensive actions
- Update Kirby to version 4.9.4 or 5.4.4 immediately if your site is publicly accessible or if you rely on reverse proxy settings for IP validation.
- Review and configure user accounts properly to prevent unauthorized access.
- Monitor your site for unusual activity, especially related to admin user creation.
- Consider implementing additional security measures such as IP whitelisting for admin access.
- Perform a thorough review of your site's exposure and apply compensating controls if necessary.
- Track exceptions and retest remediated assets, closing the item only after evidence is documented.
- Review relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The vulnerability details are based on information from the NVD and Kirby's official advisories. Evidence is limited to public records and may not reflect the full scope of affected systems or compensating controls. Further verification is recommended to ensure the accuracy of the information and to identify any potential gaps in the provided details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T19:17:06.120Z and has not been modified since then. The NVD entry is currently Deferred.