Common Weakness Enumeration

CWE-454

Allowed

External Initialization of Trusted Variables or Data Stores

Abstraction: Base · Status: Draft

The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

8 vulnerabilities reference this CWE, most recent first.

CVE-2026-54003 (GCVE-0-2026-54003)

Vulnerability from cvelistv5 – Published: 2026-07-09 18:36 – Updated: 2026-07-09 19:23
VLAI
Title
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
Summary
Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting the Forwarded, X-Client-IP, or X-Real-IP request header could allow remote attackers to install the Panel and create the first admin user because local-IP checks trusted those headers incorrectly. This issue is fixed in versions 4.9.4 and 5.4.4.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-454 - External Initialization of Trusted Variables or Data Stores
Assigner
Impacted products
Vendor Product Version
getkirby kirby Affected: < 4.9.4
Affected: >= 5.0.0, < 5.4.4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54003",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T19:23:16.615569Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T19:23:24.078Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kirby",
          "vendor": "getkirby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.9.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.4.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting the Forwarded, X-Client-IP, or X-Real-IP request header could allow remote attackers to install the Panel and create the first admin user because local-IP checks trusted those headers incorrectly. This issue is fixed in versions 4.9.4 and 5.4.4."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-454",
              "description": "CWE-454: External Initialization of Trusted Variables or Data Stores",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T18:36:43.667Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/getkirby/kirby/security/advisories/GHSA-whxw-24jc-cwmv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-whxw-24jc-cwmv"
        },
        {
          "name": "https://github.com/getkirby/kirby/pull/8166",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getkirby/kirby/pull/8166"
        },
        {
          "name": "https://github.com/getkirby/kirby/commit/1c7fee90e49153cf9ca4a6ec17481d25fbedc48d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getkirby/kirby/commit/1c7fee90e49153cf9ca4a6ec17481d25fbedc48d"
        },
        {
          "name": "https://github.com/getkirby/kirby/commit/3423f66c01dbc0455862e23ee699d2aa469f3234",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getkirby/kirby/commit/3423f66c01dbc0455862e23ee699d2aa469f3234"
        },
        {
          "name": "https://github.com/getkirby/kirby/commit/66a3a14bf0892d320723ba766cd5f1d33a51d15b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getkirby/kirby/commit/66a3a14bf0892d320723ba766cd5f1d33a51d15b"
        },
        {
          "name": "https://github.com/getkirby/kirby/commit/ab992dc149610b90e337c2955ab6ccb7f72ffb3a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getkirby/kirby/commit/ab992dc149610b90e337c2955ab6ccb7f72ffb3a"
        },
        {
          "name": "https://github.com/getkirby/kirby/releases/tag/4.9.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getkirby/kirby/releases/tag/4.9.4"
        },
        {
          "name": "https://github.com/getkirby/kirby/releases/tag/5.4.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getkirby/kirby/releases/tag/5.4.4"
        }
      ],
      "source": {
        "advisory": "GHSA-whxw-24jc-cwmv",
        "discovery": "UNKNOWN"
      },
      "title": "Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54003",
    "datePublished": "2026-07-09T18:36:43.667Z",
    "dateReserved": "2026-06-11T16:34:11.635Z",
    "dateUpdated": "2026-07-09T19:23:24.078Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48980 (GCVE-0-2026-48980)

Vulnerability from cvelistv5 – Published: 2026-06-18 19:26 – Updated: 2026-06-18 20:25
VLAI
Title
pam_usb: getenv() used in PAM context allows environment variable injection into local-check logic
Summary
pam_usb provides hardware authentication for Linux using removable media. In versions prior to 0.9.2, getenv() environment variables XRDP_SESSION, DISPLAY and TMUX allow environment variable injection into local-check logic. These environment variables influence whether a current session is local or remote, and a PAM module that runs in the context of setuid binaries (sudo, su), getenv() returns attacker-controlled values whenever the process environment has been manipulated by a local user. This issue has been fixed in version 0.9.2.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-454 - External Initialization of Trusted Variables or Data Stores
  • CWE-807 - Reliance on Untrusted Inputs in a Security Decision
Assigner
References
Impacted products
Vendor Product Version
mcdope pam_usb Affected: < 0.9.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48980",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-18T20:25:21.713697Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T20:25:31.988Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pam_usb",
          "vendor": "mcdope",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.9.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "pam_usb provides hardware authentication for Linux using removable media. In versions prior to 0.9.2,  getenv() environment variables XRDP_SESSION, DISPLAY and TMUX allow environment variable injection into local-check logic. These environment variables influence whether a current session is local or remote, and a PAM module that runs in the context of setuid binaries (sudo, su), getenv() returns attacker-controlled values whenever the process environment has been manipulated by a local user. This issue has been fixed in version 0.9.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-454",
              "description": "CWE-454: External Initialization of Trusted Variables or Data Stores",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-807",
              "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T19:26:05.340Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/mcdope/pam_usb/security/advisories/GHSA-qr83-mf3h-fvqr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/mcdope/pam_usb/security/advisories/GHSA-qr83-mf3h-fvqr"
        },
        {
          "name": "https://github.com/mcdope/pam_usb/releases/tag/0.9.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mcdope/pam_usb/releases/tag/0.9.2"
        }
      ],
      "source": {
        "advisory": "GHSA-qr83-mf3h-fvqr",
        "discovery": "UNKNOWN"
      },
      "title": "pam_usb: getenv() used in PAM context allows environment variable injection into local-check logic"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-48980",
    "datePublished": "2026-06-18T19:26:05.340Z",
    "dateReserved": "2026-05-26T23:26:07.974Z",
    "dateUpdated": "2026-06-18T20:25:31.988Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26148 (GCVE-0-2026-26148)

Vulnerability from cvelistv5 – Published: 2026-03-10 17:05 – Updated: 2026-06-19 18:17
VLAI
Title
Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerability
Summary
External initialization of trusted variables or data stores in Azure Entra ID allows an unauthorized attacker to elevate privileges locally.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-454 - External Initialization of Trusted Variables or Data Stores
Assigner
References
Impacted products
Vendor Product Version
Microsoft Microsoft Azure AD SSH Login extension for Linux Affected: 1.0.0 , < 1.0.033370002 (custom)
Create a notification for this product.
Date Public
2026-03-10 14:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26148",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T18:00:53.165002Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T18:00:59.920Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft Azure AD SSH Login extension for Linux",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.0.033370002",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:azure_ad_ssh_login_extension_for_linux:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.0.033370002",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-03-10T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "External initialization of trusted variables or data stores in Azure Entra ID allows an unauthorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-454",
              "description": "CWE-454: External Initialization of Trusted Variables or Data Stores",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-19T18:17:56.821Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26148"
        }
      ],
      "title": "Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-26148",
    "datePublished": "2026-03-10T17:05:14.582Z",
    "dateReserved": "2026-02-11T16:24:51.135Z",
    "dateUpdated": "2026-06-19T18:17:56.821Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-36244 (GCVE-0-2025-36244)

Vulnerability from cvelistv5 – Published: 2025-09-16 14:38 – Updated: 2026-02-26 17:48
VLAI
Title
IBM AIX privilege escalation
Summary
IBM AIX 7.2, 7.3, IBM VIOS 3.1, and 4.1, when configured to use Kerberos network authentication, could allow a local user to write to files on the system with root privileges due to improper initialization of critical variables.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-454 - External Initialization of Trusted Variables or Data Stores
Assigner
ibm
References
URL Tags
https://www.ibm.com/support/pages/node/7245092 vendor-advisorypatch
Impacted products
Vendor Product Version
IBM AIX Affected: 7.2
Affected: 7.3
    cpe:2.3:o:ibm:aix:7.2:*:*:*:*:*:*:*
    cpe:2.3:o:ibm:aix:7.3:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:vios:3.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:vios:4.1:*:*:*:*:*:*:*
Create a notification for this product.
IBM VIOS Affected: 3.1
Affected: 4.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36244",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-17T03:55:49.092212Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:48:29.890Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:o:ibm:aix:7.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:ibm:aix:7.3:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:vios:3.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:vios:4.1:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "AIX",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "7.2"
            },
            {
              "status": "affected",
              "version": "7.3"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "VIOS",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "3.1"
            },
            {
              "status": "affected",
              "version": "4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM AIX 7.2, 7.3, IBM VIOS 3.1, and 4.1, when configured to use Kerberos network authentication, could allow a local user to write to files on the system with root privileges due to improper initialization of critical variables."
            }
          ],
          "value": "IBM AIX 7.2, 7.3, IBM VIOS 3.1, and 4.1, when configured to use Kerberos network authentication, could allow a local user to write to files on the system with root privileges due to improper initialization of critical variables."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-454",
              "description": "CWE-454 External Initialization of Trusted Variables or Data Stores",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-22T18:10:06.615Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7245092"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eAIX and VIOS fixes are available. The AIX and VIOS fixes can be downloaded via https from:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://aix.software.ibm.com/aix/efixes/security/kerberos_fix.tar\"\u003ehttps://aix.software.ibm.com/aix/efixes/security/kerberos_fix.tar\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eYou must be on the \u0027prereq for installation\u0027 level before applying the interim fix. This may require installing a new level(prereq version) first from:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/resources/mrs/assets?source=aixbp\"\u003ehttps://www.ibm.com/resources/mrs/assets?source=aixbp\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAIX Level\u003c/td\u003e\u003ctd\u003eInterim Fix\u003c/td\u003e\u003ctd\u003eFileset Name (prereq for installation)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e7.2, 7.3\u003c/td\u003e\u003ctd\u003eIJ55344s9a.250722.epkg.Z\u003c/td\u003e\u003ctd\u003ekrb5.client.rte (1.16.1.7)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eVIOS Level\u003c/td\u003e\u003ctd\u003eInterim Fix\u003c/td\u003e\u003ctd\u003eFileset Name (prereq for installation)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e3.1, 4.1\u003c/td\u003e\u003ctd\u003eIJ55344s9a.250722.epkg.Z\u003c/td\u003e\u003ctd\u003ekrb5.client.rte (1.16.1.7)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eTo extract the fixes from the tar file:\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003etar xvf kerberos_fix.tar\u003c/p\u003e\u003cp\u003ecd kerberos_fix\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eVerify you have retrieved the fixes intact:\u003c/p\u003e\u003cp\u003eThe checksums below were generated using the \"openssl dgst -sha256 [filename]\" command as the following:\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eopenssl dgst -sha256\u003c/td\u003e\u003ctd\u003efilename\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e7e771a31c6f02b5635d99e3444c6085c1c67fd744ed00eade1d042134df6bb54\u003c/td\u003e\u003ctd\u003eIJ55344s9a.250722.epkg.Z\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eThese sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes.  If the sums or signatures cannot be confirmed, contact IBM Support at \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://ibm.com/support/\"\u003ehttp://ibm.com/support/\u003c/a\u003e\u0026nbsp;and describe the discrepancy.  \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eopenssl dgst -sha256 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]\u003c/p\u003e\u003cp\u003eopenssl dgst -sha256 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003ePublished advisory OpenSSL signature file location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://aix.software.ibm.com/aix/efixes/security/kerberos_advisory.asc.sig\"\u003ehttps://aix.software.ibm.com/aix/efixes/security/kerberos_advisory.asc.sig\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "IBM strongly recommends addressing the vulnerability now.\n\n\u00a0\n\nAIX and VIOS fixes are available. The AIX and VIOS fixes can be downloaded via https from:\n\n https://aix.software.ibm.com/aix/efixes/security/kerberos_fix.tar \u00a0\n\n\u00a0\n\nThe link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.\n\n\u00a0\n\nYou must be on the \u0027prereq for installation\u0027 level before applying the interim fix. This may require installing a new level(prereq version) first from:\n\n https://www.ibm.com/resources/mrs/assets?source=aixbp \n\n\u00a0\n\nAIX LevelInterim FixFileset Name (prereq for installation)7.2, 7.3IJ55344s9a.250722.epkg.Zkrb5.client.rte (1.16.1.7)\n\n\u00a0\n\nVIOS LevelInterim FixFileset Name (prereq for installation)3.1, 4.1IJ55344s9a.250722.epkg.Zkrb5.client.rte (1.16.1.7)\n\n\u00a0\n\nTo extract the fixes from the tar file:\n\n\u00a0\n\ntar xvf kerberos_fix.tar\n\ncd kerberos_fix\n\n\u00a0\n\nVerify you have retrieved the fixes intact:\n\nThe checksums below were generated using the \"openssl dgst -sha256 [filename]\" command as the following:\n\n\u00a0\n\nopenssl dgst -sha256filename7e771a31c6f02b5635d99e3444c6085c1c67fd744ed00eade1d042134df6bb54IJ55344s9a.250722.epkg.Z\n\n\u00a0\n\nThese sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes.  If the sums or signatures cannot be confirmed, contact IBM Support at  http://ibm.com/support/ \u00a0and describe the discrepancy.  \u00a0 \u00a0 \u00a0 \u00a0\n\n\u00a0\n\nopenssl dgst -sha256 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]\n\nopenssl dgst -sha256 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]\n\n\u00a0\n\nPublished advisory OpenSSL signature file location:\n\n https://aix.software.ibm.com/aix/efixes/security/kerberos_advisory.asc.sig"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM AIX privilege escalation",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIf possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eTo preview a fix installation:\u003c/p\u003e\u003cp\u003einstallp -a -d fix_name -p all  # where fix_name is the name of the\u003c/p\u003e\u003cp\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; # fix package being previewed.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eTo install a fix package:\u003c/p\u003e\u003cp\u003einstallp -a -d fix_name -X all  # where fix_name is the name of the\u003c/p\u003e\u003cp\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; # fix package being installed.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eInterim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eInterim fix management documentation can be found at:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/managing-interim-fixes-aix\"\u003ehttps://www.ibm.com/support/pages/managing-interim-fixes-aix\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eTo preview an interim fix installation:\u003c/p\u003e\u003cp\u003eemgr -e ipkg_name -p \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; # where ipkg_name is the name of the\u003c/p\u003e\u003cp\u003e\u0026nbsp;  \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; # interim fix package being previewed.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eTo install an interim fix package:\u003c/p\u003e\u003cp\u003eemgr -e ipkg_name -X \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; # where ipkg_name is the name of the\u003c/p\u003e\u003cp\u003e\u0026nbsp;  \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; # interim fix package being installed.\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.\n\n\u00a0\n\nTo preview a fix installation:\n\ninstallp -a -d fix_name -p all  # where fix_name is the name of the\n\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 # fix package being previewed.\n\n\u00a0\n\nTo install a fix package:\n\ninstallp -a -d fix_name -X all  # where fix_name is the name of the\n\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 # fix package being installed.\n\n\u00a0\n\nInterim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.\n\n\u00a0\n\nInterim fix management documentation can be found at:\n\n https://www.ibm.com/support/pages/managing-interim-fixes-aix \n\n\u00a0\n\nTo preview an interim fix installation:\n\nemgr -e ipkg_name -p \u00a0 \u00a0 \u00a0 \u00a0 # where ipkg_name is the name of the\n\n\u00a0  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 # interim fix package being previewed.\n\n\u00a0\n\nTo install an interim fix package:\n\nemgr -e ipkg_name -X \u00a0 \u00a0 \u00a0 \u00a0 # where ipkg_name is the name of the\n\n\u00a0  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 # interim fix package being installed."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-36244",
    "datePublished": "2025-09-16T14:38:08.632Z",
    "dateReserved": "2025-04-15T21:16:43.930Z",
    "dateUpdated": "2026-02-26T17:48:29.890Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-G3H8-WGX9-76X9

Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-09-16 15:32
VLAI
Details

IBM AIX 7.2, 7.3, IBM VIOS 3.1, and 4.1, when configured to use Kerberos network authentication, could allow a local user to write to files on the system with root privileges due to improper initialization of critical variables.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-454"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T15:15:44Z",
    "severity": "HIGH"
  },
  "details": "IBM AIX 7.2, 7.3, IBM VIOS 3.1, and 4.1, when configured to use Kerberos network authentication, could allow a local user to write to files on the system with root privileges due to improper initialization of critical variables.",
  "id": "GHSA-g3h8-wgx9-76x9",
  "modified": "2025-09-16T15:32:37Z",
  "published": "2025-09-16T15:32:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36244"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7245092"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJ59-H3Q9-GHFH

Vulnerability from github – Published: 2026-04-25 23:48 – Updated: 2026-05-19 15:56
VLAI
Summary
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config
Details

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: < 2026.4.20
  • Patched version: 2026.4.20

Impact

Workspace MCP stdio configuration could pass dangerous process-startup environment variables such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to the spawned MCP server process. In a malicious workspace, this could make the MCP child load attacker-controlled code when the operator starts a session that uses that MCP server.

The impact is limited to local/workspace trust boundaries and requires the operator to run OpenClaw in a workspace containing the malicious MCP configuration. Severity is therefore medium, not high/critical.

Fix

OpenClaw now filters MCP stdio environment entries through the host environment safety denylist before spawning stdio MCP servers.

Fix commits:

  • 62fa5071896e95edc7f67d1cebc70a2859e283af
  • 85d86ebc4bf3d2226d39d132a484f4f7a299fa1b

Release

Fixed in OpenClaw 2026.4.20.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427",
      "CWE-454",
      "CWE-829"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-25T23:48:03Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nWorkspace MCP stdio configuration could pass dangerous process-startup environment variables such as `NODE_OPTIONS`, `LD_PRELOAD`, or `BASH_ENV` to the spawned MCP server process. In a malicious workspace, this could make the MCP child load attacker-controlled code when the operator starts a session that uses that MCP server.\n\nThe impact is limited to local/workspace trust boundaries and requires the operator to run OpenClaw in a workspace containing the malicious MCP configuration. Severity is therefore medium, not high/critical.\n\n## Fix\n\nOpenClaw now filters MCP stdio environment entries through the host environment safety denylist before spawning stdio MCP servers.\n\nFix commits:\n\n- `62fa5071896e95edc7f67d1cebc70a2859e283af`\n- `85d86ebc4bf3d2226d39d132a484f4f7a299fa1b`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.",
  "id": "GHSA-mj59-h3q9-ghfh",
  "modified": "2026-05-19T15:56:20Z",
  "published": "2026-04-25T23:48:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44995"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/62fa5071896e95edc7f67d1cebc70a2859e283af"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/85d86ebc4bf3d2226d39d132a484f4f7a299fa1b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-mcp-stdio-environment-variables"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config"
}

GHSA-QXWJ-8XXC-QWM6

Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31
VLAI
Details

External initialization of trusted variables or data stores in Azure Entra ID allows an unauthorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-454"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-10T18:18:43Z",
    "severity": "HIGH"
  },
  "details": "External initialization of trusted variables or data stores in Azure Entra ID allows an unauthorized attacker to elevate privileges locally.",
  "id": "GHSA-qxwj-8xxc-qwm6",
  "modified": "2026-03-10T18:31:21Z",
  "published": "2026-03-10T18:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26148"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26148"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WHXW-24JC-CWMV

Vulnerability from github – Published: 2026-06-18 15:04 – Updated: 2026-06-18 15:04
VLAI
Summary
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
Details

TL;DR

This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the Forwarded: for=..., X-Client-IP, or X-Real-IP request header.

It was possible to install the Panel (= create the first admin user) in these setups even from remote IP addresses.

This vulnerability is of critical severity for affected sites.

Your site is not affected if any of the following apply:

  • An admin account has already been configured
  • The Panel and API are disabled
  • The site is not running behind a reverse proxy
  • The reverse proxy sets the X-Forwarded-For or Client-IP header instead of the affected ones.

Introduction

External Initialization is a type of vulnerability that allows attackers to initialize a system or configuration value without authentication.

This can give untrusted actors access to the system or let them control its behavior.

Affected components

The Kirby Panel and REST API are authenticated by local user accounts. If a Kirby installation does not yet have any users, it first needs to be installed. During the installation process, an initial admin user account is created.

To protect against external initialization attacks that would allow untrusted actors to create an admin user for the Kirby installation, Kirby already checked whether the current request came from a local IP address. This allows installing the Panel in local development setups. Installation on remote servers was only supposed to be possible when the panel.install configuration option was enabled.

The isLocal check takes all relevant request headers into account and treats a request as non-local as soon as any checked request header contains an external IP address.

Impact

In affected releases, the isLocal check for the installation logic did not properly take the Forwarded: for=... header into account. This header is set by modern reverse proxy servers. It also did not take into account the X-Client-IP or X-Real-IP headers, which are set by some custom reverse proxy setups.

This caused Kirby to falsely assume that an installation request was local and allowed creating an admin account even though the reverse proxy forwarded the request from an external IP address.

Reverse proxies setting the X-Forwarded-For or Client-IP headers were not affected. These headers were already properly checked for external IP addresses.

Patches

The problem has been patched in Kirby 4.9.4 and Kirby 5.4.4. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we fixed the isLocal check to also properly take Forwarded: for=..., X-Client-IP and X-Real-IP request headers into account.

Workarounds

Sites on older Kirby versions (Kirby 3 starting at 3.7.0) can be protected with one of the following workarounds:

  • Perform the Panel installation yourself by creating an initial admin account. As soon as one or more accounts are present, the vulnerable installation code is no longer active.
  • If you don't need the Panel, disable the REST API with the 'api' => false option in config.php.

Credits

Thanks to Peter Levashov (@petersevera) for responsibly reporting the identified issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.9.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.4.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-alpha.1"
            },
            {
              "fixed": "5.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-454"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T15:04:57Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### TL;DR\n\nThis vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` request header.\n\nIt was possible to install the Panel (= create the first admin user) in these setups even from remote IP addresses.\n\n**This vulnerability is of critical severity for affected sites.**\n\nYour site is *not* affected if any of the following apply: \n\n- An admin account has already been configured\n- The Panel and API are disabled\n- The site is not running behind a reverse proxy\n- The reverse proxy sets the `X-Forwarded-For` or `Client-IP` header instead of the affected ones.\n\n----\n\n### Introduction\n\nExternal Initialization is a type of vulnerability that allows attackers to initialize a system or configuration value without authentication.\n\nThis can give untrusted actors access to the system or let them control its behavior.\n\n### Affected components\n\nThe Kirby Panel and REST API are authenticated by local user accounts. If a Kirby installation does not yet have any users, it first needs to be installed. During the installation process, an initial admin user account is created.\n\nTo protect against external initialization attacks that would allow untrusted actors to create an admin user for the Kirby installation, Kirby already checked whether the current request came from a local IP address. This allows installing the Panel in local development setups. Installation on remote servers was only supposed to be possible when the `panel.install` configuration option was enabled.\n\nThe `isLocal` check takes all relevant request headers into account and treats a request as non-local as soon as any checked request header contains an external IP address.\n\n### Impact\n\nIn affected releases, the `isLocal` check for the installation logic did not properly take the `Forwarded: for=...` header into account. This header is set by modern reverse proxy servers. It also did not take into account the `X-Client-IP` or `X-Real-IP` headers, which are set by some custom reverse proxy setups.\n\nThis caused Kirby to falsely assume that an installation request was local and allowed creating an admin account even though the reverse proxy forwarded the request from an external IP address.\n\nReverse proxies setting the `X-Forwarded-For` or `Client-IP` headers were *not* affected. These headers were already properly checked for external IP addresses.\n\n### Patches\n\nThe problem has been patched in [Kirby 4.9.4](https://github.com/getkirby/kirby/releases/tag/4.9.4) and [Kirby 5.4.4](https://github.com/getkirby/kirby/releases/tag/5.4.4). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we fixed the `isLocal` check to also properly take `Forwarded: for=...`, `X-Client-IP` and `X-Real-IP` request headers into account.\n\n### Workarounds\n\nSites on older Kirby versions (Kirby 3 starting at 3.7.0) can be protected with one of the following workarounds:\n\n- Perform the Panel installation yourself by creating an initial admin account. As soon as one or more accounts are present, the vulnerable installation code is no longer active.\n- If you don\u0027t need the Panel, disable the REST API with the `\u0027api\u0027 =\u003e false` option in `config.php`.\n\n### Credits\n\nThanks to Peter Levashov (@petersevera) for responsibly reporting the identified issue.",
  "id": "GHSA-whxw-24jc-cwmv",
  "modified": "2026-06-18T15:04:57Z",
  "published": "2026-06-18T15:04:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-whxw-24jc-cwmv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getkirby/kirby"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/4.9.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/5.4.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header"
}

Mitigation
Implementation

Strategy: Input Validation

A product system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary.

Mitigation
Architecture and Design

Avoid any external control of variables. If necessary, restrict the variables that can be modified using an allowlist, and use a different namespace or naming convention if possible.

No CAPEC attack patterns related to this CWE.