CVE-2026-39389
Received Received - Intake
RBAC Bypass in CI4MS CMS Before

Publication date: 2026-04-08

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39389
EUVD
EUVD-2026-20481
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ci4-cms-erp ci4ms to 0.31.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39389 is an authorization bypass vulnerability in the Fileeditor controller of the ci4-cms-erp/ci4ms package (versions up to 0.31.3.0). The vulnerability occurs because a protected array called hiddenItems, which lists sensitive files and directories like .env, composer.json, and .git/, is only enforced in the listFiles() method. Other critical methods such as readFile(), saveFile(), deleteFileOrFolder(), renameFile(), createFile(), and createFolder() do not check against hiddenItems, allowing unauthorized access or modification of these sensitive files.

Additionally, CSRF protection is disabled for all Fileeditor routes, increasing the risk of cross-site request forgery attacks on write and delete operations.

This means that authenticated users with certain permissions can read sensitive files (like .env), overwrite important files (like composer.json), or delete critical files, potentially leading to exposure of secrets, remote code execution, or denial of service.

Impact Analysis

This vulnerability can impact you in several ways:

  • Confidentiality: Sensitive application secrets and configuration files (e.g., .env) can be read by unauthorized users, exposing database credentials and encryption keys.
  • Integrity: Unauthorized users with update permissions can overwrite critical files like composer.json with malicious content, potentially enabling remote code execution.
  • Availability: Users with delete permissions can remove essential files such as .env, causing the application to fail or become unavailable.
  • Security Misconception: The user interface hides sensitive files, but the API endpoints do not enforce these restrictions, misleading administrators about the true security posture.
Detection Guidance

This vulnerability can be detected by checking if the affected ci4-cms-erp/ci4ms Composer package version is less than or equal to 0.31.3.0 and by testing whether unauthorized access to sensitive files via the Fileeditor controller API endpoints is possible.

Specifically, you can attempt to access sensitive files such as `.env`, `composer.json`, or files in `.git/` directories through the `readFile()` API endpoint to verify if authorization bypass exists.

Suggested commands (assuming you have authenticated backend access and can make API calls):

  • Use curl or similar tools to send authenticated requests to the `readFile()` endpoint to try reading `.env` or other sensitive files, for example: `curl -X POST -H "Authorization: Bearer <token>" -d '{"filePath":".env"}' https://yourserver/api/fileeditor/readFile`
  • Check the version of the ci4-cms-erp/ci4ms package installed by inspecting the `composer.lock` or `composer.json` files or running `composer show ci4-cms-erp/ci4ms`.

Additionally, review the configuration file `modules/Fileeditor/Config/FileeditorConfig.php` to see if CSRF protection is disabled for Fileeditor routes, which increases risk.

Mitigation Strategies

Immediate mitigation steps include upgrading the ci4-cms-erp/ci4ms package to version 0.31.4.0 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, restrict access to the Fileeditor controller endpoints to only highly trusted users and audit permissions to ensure only necessary users have `fileeditor.read`, `fileeditor.update`, and `fileeditor.delete` permissions.

Re-enable CSRF protection for all Fileeditor routes by removing exemptions in `modules/Fileeditor/Config/FileeditorConfig.php` and ensure frontend requests include valid CSRF tokens.

Implement additional access controls or firewall rules to limit access to the backend API endpoints related to file editing.

Monitor logs for suspicious activity involving file reads, writes, deletions, or renames on sensitive files like `.env` or `composer.json`.

Compliance Impact

This vulnerability allows unauthorized access to sensitive configuration files such as .env, which may contain secrets like database credentials and encryption keys. Exposure of such sensitive data can lead to breaches of confidentiality, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

Additionally, the ability to modify or delete critical files can compromise the integrity and availability of the application, further impacting compliance with standards that mandate data integrity and system availability.

The lack of proper authorization checks and disabled CSRF protection increases the risk of unauthorized data access and manipulation, which can result in non-compliance with security requirements outlined in common regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39389. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart