CVE-2026-42051 Unknown Vendor CVE debrief

Who should care

Kirby administrators, hosting providers, and security teams responsible for sites running Kirby versions earlier than 4.9.0 or 5.4.0, especially where authenticated users should not be able to view license or version metadata.

Technical summary

The supplied sources describe a missing-authorization condition affecting a Kirby system API endpoint. The weakness is mapped to CWE-862 in the advisory metadata. Impact is limited to disclosure of license data and the installed version to authenticated users. The fix is included in Kirby 4.9.0 and 5.4.0, as referenced by the official release tags and GitHub security advisory.

Defensive priority

Medium. Prioritize patching if you expose Kirby to multiple authenticated users, use license/version metadata as sensitive operational information, or rely on strict internal access boundaries.

Recommended defensive actions

• Upgrade Kirby to 4.9.0 or 5.4.0 or later, depending on your release line.
• Review whether authenticated users can reach the affected system API endpoint in your deployment.
• Confirm that license and installed-version metadata are no longer exposed after upgrading.
• Inventory all Kirby instances to identify any versions earlier than the fixed releases.
• Check application logs and access controls for unusual authenticated access to system API resources around the time of remediation.

Evidence notes

This debrief is based only on the supplied NVD record and GitHub-hosted Kirby security/advisory references. The NVD entry cites the Kirby release tags for 4.9.0 and 5.4.0 and the GitHub security advisory GHSA-x68m-c7jf-2572. The supplied timeline shows CVE publication and modification at 2026-05-09T04:16:22.110Z. No KEV date or ransomware-campaign metadata was supplied.

Official resources