Hey everyone,
Today we are releasing our biggest security release in the last 14+ years. The last few weeks have been intense, to say the least. We received 8 reports within just a couple of days. This is a very unusual number of reports in such short succession for us, and unfortunately six of them turned out to be valid and also pretty complex to fix. They now lead to a quite long list of advisories and patches. We had some overlapping topics and some additional discoveries that we made after receiving the reports.
Here’s an overview of the situation:
- The vulnerabilities range from moderate to high.
- There are no critical vulnerabilities that could lead to a break-in situation.
- We also don’t have any reports that any of the vulnerabilities have been used in an attack yet.
- Most affected are teams with multiple roles and permissions. The Panel and API can leak sensitive information or allow unintended actions to authenticated team members without sufficient permissions.
- We highly recommend this release for all Kirby 4 and 5 users!
Kirby 5.4.0: https://github.com/getkirby/kirby/releases/tag/5.4.0
Kirby 4.9.0: https://github.com/getkirby/kirby/releases/tag/4.9.0
Kirby 4
We recommend using this chance to upgrade to Kirby 5! We will be able to support you with security releases for longer if you stay up to date.
If this is not possible, make sure to update to 4.9.0. There is unfortunately a problem with an invalid security advisory at the moment, which will break composer updates. We’ve added a temporary fix for this to the release notes while we are trying to resolve this directly with the GitHub security team.
Kirby 3
We want to be completely honest about this. Kirby 3 installations are also affected by these vulnerabilities. But Kirby 3 reached its end of life in December 2025. The last official Kirby 3 release was in 2023. We don’t have the resources as a team to create backports, keep them up to date, tested, and patched for Kirby 3. We hope you understand. Your best, future-proof option really is an upgrade to Kirby 5.
You can see all our supported versions here: https://getkirby.com/security
Please check the release notes for more details. Let us know if you have any questions.