CVE-2026-39389
RBAC Bypass in CI4MS CMS Before
Publication date: 2026-04-08
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ci4-cms-erp | ci4ms | to 0.31.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39389 is an authorization bypass vulnerability in the Fileeditor controller of the ci4-cms-erp/ci4ms package (versions up to 0.31.3.0). The vulnerability occurs because a protected array called hiddenItems, which lists sensitive files and directories like .env, composer.json, and .git/, is only enforced in the listFiles() method. Other critical methods such as readFile(), saveFile(), deleteFileOrFolder(), renameFile(), createFile(), and createFolder() do not check against hiddenItems, allowing unauthorized access or modification of these sensitive files.
Additionally, CSRF protection is disabled for all Fileeditor routes, increasing the risk of cross-site request forgery attacks on write and delete operations.
This means that authenticated users with certain permissions can read sensitive files (like .env), overwrite important files (like composer.json), or delete critical files, potentially leading to exposure of secrets, remote code execution, or denial of service.
How can this vulnerability impact me? :
This vulnerability can impact you in several ways:
- Confidentiality: Sensitive application secrets and configuration files (e.g., .env) can be read by unauthorized users, exposing database credentials and encryption keys.
- Integrity: Unauthorized users with update permissions can overwrite critical files like composer.json with malicious content, potentially enabling remote code execution.
- Availability: Users with delete permissions can remove essential files such as .env, causing the application to fail or become unavailable.
- Security Misconception: The user interface hides sensitive files, but the API endpoints do not enforce these restrictions, misleading administrators about the true security posture.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the affected ci4-cms-erp/ci4ms Composer package version is less than or equal to 0.31.3.0 and by testing whether unauthorized access to sensitive files via the Fileeditor controller API endpoints is possible.
Specifically, you can attempt to access sensitive files such as `.env`, `composer.json`, or files in `.git/` directories through the `readFile()` API endpoint to verify if authorization bypass exists.
Suggested commands (assuming you have authenticated backend access and can make API calls):
- Use curl or similar tools to send authenticated requests to the `readFile()` endpoint to try reading `.env` or other sensitive files, for example: `curl -X POST -H "Authorization: Bearer <token>" -d '{"filePath":".env"}' https://yourserver/api/fileeditor/readFile`
- Check the version of the ci4-cms-erp/ci4ms package installed by inspecting the `composer.lock` or `composer.json` files or running `composer show ci4-cms-erp/ci4ms`.
Additionally, review the configuration file `modules/Fileeditor/Config/FileeditorConfig.php` to see if CSRF protection is disabled for Fileeditor routes, which increases risk.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the ci4-cms-erp/ci4ms package to version 0.31.4.0 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, restrict access to the Fileeditor controller endpoints to only highly trusted users and audit permissions to ensure only necessary users have `fileeditor.read`, `fileeditor.update`, and `fileeditor.delete` permissions.
Re-enable CSRF protection for all Fileeditor routes by removing exemptions in `modules/Fileeditor/Config/FileeditorConfig.php` and ensure frontend requests include valid CSRF tokens.
Implement additional access controls or firewall rules to limit access to the backend API endpoints related to file editing.
Monitor logs for suspicious activity involving file reads, writes, deletions, or renames on sensitive files like `.env` or `composer.json`.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to sensitive configuration files such as .env, which may contain secrets like database credentials and encryption keys. Exposure of such sensitive data can lead to breaches of confidentiality, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
Additionally, the ability to modify or delete critical files can compromise the integrity and availability of the application, further impacting compliance with standards that mandate data integrity and system availability.
The lack of proper authorization checks and disabled CSRF protection increases the risk of unauthorized data access and manipulation, which can result in non-compliance with security requirements outlined in common regulations.