PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42069 Unknown Vendor CVE debrief

CVE-2026-42069 is a Kirby CMS access-control issue that allowed read access to site, user, and role information without permission checks. The issue was published on 2026-05-09 and is rated HIGH (CVSS 7.1). According to the official sources, the fix is available in Kirby 4.9.0 and 5.4.0.

Vendor
Unknown Vendor
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-09
Original CVE updated
2026-05-09
Advisory published
2026-05-09
Advisory updated
2026-05-09

Who should care

Kirby CMS administrators, security teams, and operators running affected versions before 4.9.0 or 5.4.0, especially where site, user, or role metadata should remain restricted.

Technical summary

The official NVD record and GitHub advisory describe a missing authorization check (CWE-862) in Kirby CMS. Prior to versions 4.9.0 and 5.4.0, read access to site, user, and role information was not gated by permissions. The supplied CVSS v4 vector indicates a network-reachable issue requiring low privileges and no user interaction, with high confidentiality impact and no stated integrity or availability impact. The source corpus does not provide exploit details or endpoint-specific behavior beyond the access-control failure.

Defensive priority

High. Prioritize remediation if Kirby is internet-facing or if unauthorized disclosure of site, user, or role data would be harmful. The issue affects confidentiality directly and is reachable with low privileges per the supplied CVSS vector.

Recommended defensive actions

  • Upgrade Kirby to 4.9.0 or later on the affected major line, or to 5.4.0 or later as applicable to your deployment.
  • Inventory all Kirby instances and confirm which versions are deployed before assuming a site is unaffected.
  • Review administrative and low-privilege account paths that can read site, user, or role information, and verify the permission boundary now works as intended after patching.
  • Check access logs and related monitoring for unexpected reads of administrative metadata during the exposure window.
  • If immediate upgrade is not possible, reduce exposure of Kirby management and metadata surfaces until the fixed version is deployed.

Evidence notes

This debrief is based only on the supplied official sources: the NVD CVE record, the GitHub security advisory, and the Kirby release references for 4.9.0 and 5.4.0. The corpus states that read access to site, user, and role information was not gated by permissions and that the issue is fixed in those versions. The CVSS v4 vector and CWE-862 mapping come from the source metadata. No exploit code, weaponized reproduction, or additional impact details were provided.

Official resources

Publicly published on 2026-05-09T04:16:22.297Z, which is the CVE publication timestamp supplied in the source corpus. No earlier vendor disclosure time was provided in the supplied data.