CVE-2026-54003
getkirby · kirby
Kirby CMS incorrectly trusts reverse proxy headers for IP verification, allowing unauthenticated attackers to bypass local-IP checks and perform unauthorized administrative installations.
Executive summary
An authentication bypass vulnerability in Kirby CMS allows remote, unauthenticated attackers to install the Panel and create administrative accounts.
Vulnerability
This vulnerability stems from improper validation of HTTP headers (Forwarded, X-Client-IP, X-Real-IP) when running behind a reverse proxy. Unauthenticated attackers can spoof their IP address to appear local, bypassing security checks that permit the initial installation of the Kirby Panel and the creation of the first administrator account.
Business impact
With a CVSS score of 9.1, this flaw poses an extreme risk to any Kirby-based website running behind a reverse proxy. Successful exploitation results in complete administrative takeover of the content management system, leading to unauthorized data access, site defacement, and potential remote code execution via the administrative interface.
Remediation
Immediate Action: Update Kirby to version 4.9.4 or 5.4.4 immediately to resolve the improper trusted variable handling.
Proactive Monitoring: Audit existing administrative user lists for unauthorized accounts and review web server logs for suspicious installation attempts or administrative access from unexpected IP ranges.
Compensating Controls: Configure the reverse proxy to sanitize or strip sensitive headers (e.g., X-Real-IP) before forwarding requests to the application server if an immediate update is not feasible.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability is highly critical as it allows for trivial administrative takeover of the CMS. Organizations must apply the provided updates immediately to prevent unauthorized access and protect the integrity of their content management infrastructure.