CVE-2026-54003: Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting the Forwarded, X-Client-IP, or X-Real-IP request header could allow remote attackers to install the Panel and create the first admin user because local-IP checks trusted those headers incorrectly. This issue is fixed in versions 4.9.4 and 5.4.4.
Security readout for executives and security teams
Plain-English summary
A vulnerable Kirby CMS site can let an outside attacker complete the initial Panel setup and create the first administrator account. This only applies in specific setups: no existing user accounts, public access, and a reverse proxy that sets certain client-IP headers. Fixed Kirby versions are available.
Executive priority
Treat as urgent for any public, newly deployed, or uninitialized Kirby site behind a reverse proxy. The business risk is unauthorized administrative takeover of the CMS. Prioritize rapid inventory and upgrade where the deployment conditions match.
Technical view
Kirby before 4.9.4 and 5.0.0 through before 5.4.4 incorrectly trusted Forwarded, X-Client-IP, or X-Real-IP headers for local-IP checks. In affected reverse proxy deployments with no configured users, remote unauthenticated attackers could initialize the Panel and create the first admin user. CVSS v4.0 score is 9.1.
Likely exposure
Exposure is limited to public Kirby sites on affected versions, behind a reverse proxy setting the named headers, and with no configured user accounts. Existing initialized sites with users are not described as affected by the provided sources.
Exploitation context
The CVE is not listed as CISA KEV in the provided data. No cited source in the bundle states active exploitation. The attack is network-accessible and unauthenticated, but depends on the deployment state and proxy header behavior.
Researcher notes
The issue is deployment-dependent: vulnerable version plus no users plus trusted proxy-supplied client-IP headers. The source bundle identifies fixes in 4.9.4 and 5.4.4 and related commits, but does not provide evidence of exploitation in the wild.
Mitigation direction
Upgrade Kirby 4.x deployments to 4.9.4 or later.
Upgrade Kirby 5.x deployments to 5.4.4 or later.
Review the GitHub advisory for any environment-specific guidance.
Do not leave public Kirby instances uninitialized without administrative control.
Validation and detection
Inventory all Kirby sites and identify their exact versions.
Confirm whether each site is publicly reachable.
Check whether the deployment uses a reverse proxy setting the named headers.
Verify whether any affected site has no configured user accounts.
After updating, confirm Kirby reports version 4.9.4 or 5.4.4 or later.
Review administrative users for unexpected first-admin creation.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-454: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-454 · source CWE mapping
External Initialization of Trusted Variables or Data Stores
External Initialization of Trusted Variables or Data Stores represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.