Critical Vulnerability in Kirby: External Initialization of the Panel via Reverse Proxy

Executive Summary

A critical vulnerability (CVE-2026-54003) with a CVSS score of 9.1 affects Kirby sites with no configured user accounts running behind a reverse proxy that sets specific request headers. This flaw allows remote attackers to create an admin account, potentially leading to full control of the site. Sites with existing admin accounts or those not behind a reverse proxy are not affected.

Technical Analysis

The vulnerability is classified as an External Initialization issue. It occurs because the `isLocal` check in Kirby's installation logic does not properly validate the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` request headers set by reverse proxies. This oversight allows an attacker to trick Kirby into assuming the installation request is local, thereby creating an admin account remotely.

How It Gets Exploited

An unauthenticated remote attacker with access to a publicly accessible Kirby site behind a vulnerable reverse proxy setup can exploit this vulnerability. The attacker sends a request to the Kirby site with a crafted `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` header that makes the site believe the request is coming from a local IP address. If the site has no existing admin account and the Panel and API are enabled, this can lead to the creation of a new admin account, granting the attacker full control over the site.

Impact Assessment

The impact is critical for affected sites, as it allows for remote creation of an admin account, potentially leading to full site compromise. Sites with Kirby versions 3.7.0 and later are affected, especially those running behind a reverse proxy that sets the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` headers. The CVSS score of 9.1 reflects the high severity of this vulnerability.

Recommended Actions

1. Update to Kirby 4.9.4 or 5.4.4, or a later version, to apply the patch. 2. For sites on older Kirby versions (starting at 3.7.0), perform the Panel installation yourself by creating an initial admin account. 3. Disable the REST API with the `'api' => false` option in `config.php` if the Panel is not needed. 4. Verify and adjust your reverse proxy configuration to use headers that are already properly checked by Kirby, such as `X-Forwarded-For` or `Client-IP`.

Sources

- GitHub Security Advisories: https://github.com/advisories/GHSA-whxw-24jc-cwmv