CVE-2026-42137 Unknown Vendor CVE debrief

Who should care

Kirby site operators, application teams, and maintainers who rely on Panel or REST API authorization for page and file access should review this immediately, especially where low-privilege users can interact with content management features.

Technical summary

The official NVD record describes this as an access-control problem mapped to CWE-862 and CWE-863. The published CVSS 4.0 vector is `AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N`, indicating a network-reachable issue that requires some privileges but primarily affects confidentiality. The GitHub Security Advisory and Kirby release tags identify the fixes in 4.9.0 and 5.4.0.

Defensive priority

High — prioritize upgrade if your Kirby deployment exposes the Panel or REST API and depends on `pages.access/list` or `files.access/list` for access control.

Recommended defensive actions

• Upgrade Kirby to a fixed release: 4.9.0, 5.4.0, or later depending on your branch.
• Review any Panel and REST API workflows that depend on page/file listing permissions.
• Verify that custom roles, plugins, and integrations do not assume these permissions are always enforced elsewhere.
• Temporarily restrict access to the Panel and REST API to trusted users while you validate the fix.
• Check for unexpected page or file listing access in logs and access reviews after remediation.

Evidence notes

The source corpus provides an official NVD update timestamp of 2026-05-09 and references three official GitHub links: Kirby release tag 4.9.0, Kirby release tag 5.4.0, and GitHub Security Advisory GHSA-85x2-r8xv-ww8c. The NVD metadata lists the issue as `Received` and includes CVSS 4.0 vector `AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N` with CWE-862 and CWE-863.

Official resources