CVE-2026-54003
Description
Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting the Forwarded, X-Client-IP, or X-Real-IP request header could allow remote attackers to install the Panel and create the first admin user because local-IP checks trusted those headers incorrectly. This issue is fixed in versions 4.9.4 and 5.4.4.
Is your site exposed to CVE-2026-54003?
Run a free security scan — no signup, results in seconds.
Weakness Type (CWE)
CWE-454
CWE-454
References
Other References
https://github.com/getkirby/kirby/commit/1c7fee90e49153cf9ca4a6ec17481d25fbedc48d
https://github.com/getkirby/kirby/commit/3423f66c01dbc0455862e23ee699d2aa469f3234
https://github.com/getkirby/kirby/commit/66a3a14bf0892d320723ba766cd5f1d33a51d15b
https://github.com/getkirby/kirby/commit/ab992dc149610b90e337c2955ab6ccb7f72ffb3a
https://github.com/getkirby/kirby/pull/8166
https://github.com/getkirby/kirby/releases/tag/4.9.4
https://github.com/getkirby/kirby/releases/tag/5.4.4
https://github.com/getkirby/kirby/security/advisories/GHSA-whxw-24jc-cwmv
Frequently Asked Questions
What is CVE-2026-54003? +
Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting the Forwarded, X-Client-IP, or X-Real-IP request header could allow remote attackers to install the Panel and create the first admin user because local-IP checks trusted those headers incorrectly. This issue is fixed in versions 4.9.4 and 5.4.4.
How do I check if I'm vulnerable to CVE-2026-54003? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.