CVE-2026-42174 Unknown Vendor CVE debrief

Who should care

Kirby CMS administrators, application developers, and security teams should care if their installations allow users to manage profile avatars and have not been updated to a fixed version.

Technical summary

The advisory maps to CWE-862 (Missing Authorization). Based on the published CVSS vector, the issue is network-reachable, requires low privileges, and needs no user interaction. The impact is limited to integrity: an authenticated user could perform avatar create/replace/delete actions without the intended user-update authorization check. The affected versions are those before Kirby 4.9.0 and 5.4.0.

Defensive priority

Moderate. The flaw requires authentication and is scored CVSS 5.3, but it affects a common account-management control and should be remediated promptly if avatar management is exposed.

Recommended defensive actions

• Upgrade Kirby to 4.9.0 or 5.4.0, depending on your major release line.
• Verify that any custom user-profile or account-management workflows do not reintroduce missing authorization checks around avatar operations.
• Review logs and recent profile/avatar changes for unexpected modifications before and after patching.
• If immediate upgrade is not possible, restrict access to avatar-management features at the application or workflow level until remediation is complete.

Evidence notes

The NVD record for CVE-2026-42174 cites GitHub Security Advisory GHSA-39cp-6679-8xv2 and Kirby release tags 4.9.0 and 5.4.0. The source text states that avatar creation, replacement, and deletion were not gated by user update permissions before those versions. The advisory maps the weakness to CWE-862. No KEV listing was provided in the supplied corpus.

Official resources