Summary
Kirby CMS's content locks disclose IDs and emails of inaccessible users from users.access/list permissions
TL;DR
This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the users.access or users.list permissions. A site is affected if users of a particular role are not allowed to see other users in the Panel, for example because the role's blueprint sets users.access: false or users.list: false as permission for the authenticated user role and/or as option for the target user role.
A Kirby site is not affected if all authenticated Panel users are permitted to access and list other users. The vulnerability can only be exploited by authenticated users.
Introduction
Missing authorization allows authenticated users to gain access to information they are not intended to see.
The effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.
Affected components
Kirby's user permissions control which user role is allowed to perform specific actions or access specific information in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/...). The users.access and users.list permissions control whether users of a given role are allowed to access and list other users in the Panel. It is also possible to customize the permissions for each target role using the options feature. The permissions and options together control the authorization of user actions.
Kirby's Panel includes a content-locking feature that records which user currently has a model open for editing. This lock prevents conflicting edits by multiple users and displays the locking user's identity in the Panel UI so other users know who to contact. Internally, the locking user's email address and identifier are included in every Panel view payload and in error responses returned when a user attempts to edit a model that is currently locked by another user.
Credits
Kirby thanks Matteo Panzeri (@matte1782) for responsibly reporting the identified issue.
Impact
In affected releases, this lock information was returned without checking whether the requesting user had permission to access or list the locking user.
This allowed a low-privilege authenticated Panel user, whose role was configured with users.access: false or users.list: false, to learn the email address and identifier of any user who currently had a model open for editing in the Panel, including administrators and other higher-privilege users. Content locks are active for a configurable window (10 minutes by default).
The email address can allow to enumerate admin accounts, target phishing, and feed credential-stuffing attacks against the Kirby installation or other sites.
The internal user ID can be cross-referenced with other endpoints once the requester has obtained a higher privilege through unrelated means.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
The problem has been patched in Kirby 4.9.1 and Kirby 5.4.1. Please update to one of these or a later version to fix the vulnerability.
In the mentioned releases, the lock information is now filtered based on the requesting user's permissions. The identity of the locking user is hidden when the requesting user does not have permission to access or list that user.
Frequently Asked Questions
- What is CVE-2026-45334? CVE-2026-45334 is a medium-severity missing authorization vulnerability in getkirby/cms (composer), affecting versions <= 4.9.0. It is fixed in 4.9.1, 5.4.1. The application does not perform an authorization check before performing a sensitive operation.
- Which versions of getkirby/cms are affected by CVE-2026-45334? getkirby/cms (composer) versions <= 4.9.0 is affected.
- Is there a fix for CVE-2026-45334? Yes. CVE-2026-45334 is fixed in 4.9.1, 5.4.1. Upgrade to this version or later.
- Is CVE-2026-45334 exploitable, and should I be worried? Whether CVE-2026-45334 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-45334 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-45334?
- Upgrade
getkirby/cmsto 4.9.1 or later - Upgrade
getkirby/cmsto 5.4.1 or later
- Upgrade