CVE-2026-54003

getkirby · kirby

Kirby CMS incorrectly trusts reverse proxy headers for IP verification, allowing unauthenticated attackers to bypass local-IP checks and perform unauthorized administrative installations.

Executive summary

An authentication bypass vulnerability in Kirby CMS allows remote, unauthenticated attackers to install the Panel and create administrative accounts.

Vulnerability

This vulnerability stems from improper validation of HTTP headers (Forwarded, X-Client-IP, X-Real-IP) when running behind a reverse proxy. Unauthenticated attackers can spoof their IP address to appear local, bypassing security checks that permit the initial installation of the Kirby Panel and the creation of the first administrator account.

Business impact

With a CVSS score of 9.1, this flaw poses an extreme risk to any Kirby-based website running behind a reverse proxy. Successful exploitation results in complete administrative takeover of the content management system, leading to unauthorized data access, site defacement, and potential remote code execution via the administrative interface.

Remediation

Immediate Action: Update Kirby to version 4.9.4 or 5.4.4 immediately to resolve the improper trusted variable handling.

Proactive Monitoring: Audit existing administrative user lists for unauthorized accounts and review web server logs for suspicious installation attempts or administrative access from unexpected IP ranges.

Compensating Controls: Configure the reverse proxy to sanitize or strip sensitive headers (e.g., X-Real-IP) before forwarding requests to the application server if an immediate update is not feasible.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability is highly critical as it allows for trivial administrative takeover of the CMS. Organizations must apply the provided updates immediately to prevent unauthorized access and protect the integrity of their content management infrastructure.