CVE-2026-39393
Received Received - Intake
Unauthenticated File Overwrite in CI4MS Install Route Leads to Takeover

Publication date: 2026-04-08

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss (TTL expiry or admin-triggered cache clear), the guard fails open, allowing an unauthenticated attacker to overwrite the .env file with attacker-controlled database credentials, achieving full application takeover. This vulnerability is fixed in 0.31.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39393
EUVD
EUVD-2026-20487
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ci4-cms-erp ci4ms to 0.31.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39393 is a vulnerability in the ci4ms package (versions up to 0.31.3.0) that allows an unauthenticated attacker to bypass the post-installation guard and gain full control of the application.

The install route guard relies on two checks to block access to the setup wizard after installation: the presence of a .env file and a non-empty volatile cache entry named 'settings'. However, if the database is temporarily unreachable during a cache miss (due to cache expiration or admin clearing), the cache remains empty because errors during cache population are silently ignored. This causes the guard to fail open, allowing attackers to access the install route.

Attackers can exploit this by sending a POST request to the install endpoint with attacker-controlled database credentials in the 'host' parameter, which is not validated and is directly written into the .env file. This overwrites the .env file, enabling full application takeover without needing a database connection.

The install routes lack CSRF protection, making the attack easier. After overwriting the .env file, the attacker can trigger database migrations on their controlled database and create an admin account, gaining full control.

Impact Analysis

This vulnerability can have severe impacts including:

  • Full application takeover by redirecting database queries to an attacker-controlled server.
  • Credential theft as user data and API calls are sent to the attacker’s database.
  • Loss of data integrity through arbitrary content injection and privilege escalation.
  • Encryption key reset, which invalidates existing encrypted data and user sessions.

The exploit requires no authentication, no CSRF token, and no user interaction, making it highly dangerous.

Compliance Impact

This vulnerability allows an unauthenticated attacker to gain full application takeover by overwriting the .env file with attacker-controlled database credentials. This can lead to credential theft, data integrity loss, and unauthorized access to sensitive user data.

Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, proper access controls, and prevention of unauthorized data disclosure.

The vulnerability’s impact on confidentiality, integrity, and availability of data directly conflicts with these regulatory requirements, potentially exposing organizations using the affected software to legal and compliance risks.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized access attempts to the install route of the ci4ms application, especially during periods when the database is unreachable and the cache is empty.

Specifically, detection involves checking for POST requests to the install endpoint that attempt to overwrite the .env file with attacker-controlled database credentials.

Since the install routes are exempt from CSRF protection and require no authentication, unusual POST requests to the install route during database outages or cache clear events are suspicious.

Suggested commands to detect this activity could include:

  • Using web server logs (e.g., Apache or Nginx) to search for POST requests to the install endpoint: `grep 'POST /install' /var/log/nginx/access.log`
  • Monitoring for changes to the .env file timestamp or content: `stat /path/to/.env` or `diff /path/to/.env /path/to/.env.bak`
  • Checking cache status and database connectivity to identify times when the cache is empty and the database is unreachable.
Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade the ci4ms package to version 0.31.4.0 or later, where the vulnerability is fixed.
  • Replace the volatile cache-based install guard with a persistent filesystem lock by ensuring an installed.lock file exists in the WRITEPATH directory.
  • Create the installed.lock file at the end of a successful installation process to prevent re-entry.
  • Add strict validation rules for the host parameter in the install endpoint to prevent injection of attacker-controlled database credentials.
  • Avoid clearing the settings cache or ensure the database is reachable before clearing the cache to prevent the guard from failing open.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39393. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart