CVE-2026-39393
Unauthenticated File Overwrite in CI4MS Install Route Leads to Takeover
Publication date: 2026-04-08
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ci4-cms-erp | ci4ms | to 0.31.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39393 is a vulnerability in the ci4ms package (versions up to 0.31.3.0) that allows an unauthenticated attacker to bypass the post-installation guard and gain full control of the application.
The install route guard relies on two checks to block access to the setup wizard after installation: the presence of a .env file and a non-empty volatile cache entry named 'settings'. However, if the database is temporarily unreachable during a cache miss (due to cache expiration or admin clearing), the cache remains empty because errors during cache population are silently ignored. This causes the guard to fail open, allowing attackers to access the install route.
Attackers can exploit this by sending a POST request to the install endpoint with attacker-controlled database credentials in the 'host' parameter, which is not validated and is directly written into the .env file. This overwrites the .env file, enabling full application takeover without needing a database connection.
The install routes lack CSRF protection, making the attack easier. After overwriting the .env file, the attacker can trigger database migrations on their controlled database and create an admin account, gaining full control.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Full application takeover by redirecting database queries to an attacker-controlled server.
- Credential theft as user data and API calls are sent to the attackerβs database.
- Loss of data integrity through arbitrary content injection and privilege escalation.
- Encryption key reset, which invalidates existing encrypted data and user sessions.
The exploit requires no authentication, no CSRF token, and no user interaction, making it highly dangerous.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated attacker to gain full application takeover by overwriting the .env file with attacker-controlled database credentials. This can lead to credential theft, data integrity loss, and unauthorized access to sensitive user data.
Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, proper access controls, and prevention of unauthorized data disclosure.
The vulnerabilityβs impact on confidentiality, integrity, and availability of data directly conflicts with these regulatory requirements, potentially exposing organizations using the affected software to legal and compliance risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized access attempts to the install route of the ci4ms application, especially during periods when the database is unreachable and the cache is empty.
Specifically, detection involves checking for POST requests to the install endpoint that attempt to overwrite the .env file with attacker-controlled database credentials.
Since the install routes are exempt from CSRF protection and require no authentication, unusual POST requests to the install route during database outages or cache clear events are suspicious.
Suggested commands to detect this activity could include:
- Using web server logs (e.g., Apache or Nginx) to search for POST requests to the install endpoint: `grep 'POST /install' /var/log/nginx/access.log`
- Monitoring for changes to the .env file timestamp or content: `stat /path/to/.env` or `diff /path/to/.env /path/to/.env.bak`
- Checking cache status and database connectivity to identify times when the cache is empty and the database is unreachable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade the ci4ms package to version 0.31.4.0 or later, where the vulnerability is fixed.
- Replace the volatile cache-based install guard with a persistent filesystem lock by ensuring an installed.lock file exists in the WRITEPATH directory.
- Create the installed.lock file at the end of a successful installation process to prevent re-entry.
- Add strict validation rules for the host parameter in the install endpoint to prevent injection of attacker-controlled database credentials.
- Avoid clearing the settings cache or ensure the database is reachable before clearing the cache to prevent the guard from failing open.