php · getkirby/cmsCritical
Kirby CMS: Unauthenticated admin account creation via forwarded headers
The `isLocal` check in Panel installation logic did not properly validate `Forwarded: for=.
What changed
The `isLocal` check in Panel installation logic did not properly validate `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` headers, allowing remote attackers to create an initial admin account on sites without existing users behind a reverse proxy that sets these headers.
Who it affects
Kirby sites with no configured user accounts, running on publicly accessible servers behind a reverse proxy that sets `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` headers.
What to do today
Update to Kirby 4.9.4 or 5.4.4 (or later). If unable to update, create an initial admin account manually or disable the REST API with `'api' => false` in config.php.
The trail
Collected→
Audited→
Written→
Published