Security Advisory IBEXA-SA-2026-001: Insufficient main landing page access control

Publication date: 05/03/2026, 16:20

Severity: High

Affected versions: Ibexa DXP v5.0.* (ibexa/core v5.0.*)
Resolving versions: Ibexa DXP v5.0.6 (ibexa/core v5.0.6)

This security advisory resolves a vulnerability in core. Given a site where the main landing page of the frontend is not supposed to be available without login, unauthenticated, anonymous users could still reach the main landing page, without the normally required User/Login policy. Sites that do allow unathenticated access to the main landing page are therefore not affected.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2026-001

Insufficient main landing page access control