Home > Vulnerability Database > CVE-2026-21896

Mend.io Vulnerability Database

CVE-2026-21896

Good to know:

Date: January 8, 2026

Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. This vulnerability does not affect those who have not altered the deviated from default user permissions. This issue has been patched in version 5.2.2.

Severity Score

6.3

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-21896

Url: https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f

Url: https://github.com/getkirby/kirby

Url: https://github.com/getkirby/kirby/commit/f5ce1347b427b819bf193acf11fd0da232f7af47

Url: https://github.com/getkirby/kirby/releases/tag/5.2.2

Url: https://www.mend.io/vulnerability-database/CVE-2026-21896

Severity Score

6.3

Weakness Type (CWE)

Incorrect Authorization

CWE-863

Top Fix

Upgrade Version

Upgrade to version getkirby/cms - 5.2.2;https://github.com/getkirby/kirby.git - 5.2.2

Learn More

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2026-21896

Good to know:

Date: January 8, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?