CVE-2026-39394
Received Received - Intake
Arbitrary Configuration Injection in CI4MS Install Controller

Publication date: 2026-04-08

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings(), which writes it into the .env file via preg_replace(). Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the .env file. The install routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when cache('settings') is empty (cache expiry or fresh deployment). This vulnerability is fixed in 0.31.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39394
EUVD
EUVD-2026-20489
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ci4-cms-erp ci4ms to 0.31.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39394 is a high-severity CRLF (Carriage Return Line Feed) injection vulnerability in the ci4-cms-erp/ci4ms package (versions up to 0.31.3.0). The vulnerability occurs because the Install::index() controller reads the 'host' POST parameter without any validation and passes it directly to the updateEnvSettings() function, which writes the value into the .env configuration file using preg_replace().

Since newline characters are not stripped from the 'host' parameter, an attacker can inject arbitrary new lines and configuration directives into the .env file. The .env file template has all configuration lines commented out, so the regex used does not find existing keys and appends new lines verbatim.

Additionally, CSRF protection is disabled for install routes, and the InstallFilter can be bypassed when the application cache is empty, such as during fresh installation or cache expiry, making exploitation easier.

Impact Analysis

This vulnerability can have several serious impacts including:

  • Hijacking application URLs by injecting app.baseURL to attacker-controlled domains, which can affect password reset links, redirects, and asset loading.
  • Downgrading security by disabling settings such as forceGlobalSecureRequests or Content Security Policy (CSP).
  • Manipulating sessions by altering session driver or save path configurations.
  • Causing denial of service by overwriting the .env file with the template and injected settings.
  • Redirecting database connections by injecting additional database configuration lines.
Detection Guidance

This vulnerability can be detected by checking if the .env configuration file contains unexpected or injected configuration directives, especially those introduced via newline characters in the host or dbpassword parameters.

You can inspect the .env file for suspicious entries or multiple lines injected where only single-line values are expected.

Additionally, monitoring POST requests to the Install::index() controller for unusual or malformed host parameter values containing newline characters can help detect exploitation attempts.

  • Use grep or similar tools to search for newline characters or suspicious patterns in the .env file, e.g.:
  • grep -P '\\n' .env
  • Check for unexpected configuration keys or multiple lines injected by running:
  • cat .env | grep -v '^#' | less
  • Monitor web server logs for POST requests to the install route with suspicious host parameter values, for example using:
  • grep 'POST /install' /var/log/nginx/access.log | grep 'host='
Mitigation Strategies

Immediate mitigation steps include:

  • Apply strict validation on the host POST parameter to reject newline characters and restrict input to valid hostnames or IP addresses using a regex such as /^[a-zA-Z0-9._-]+$/.
  • Sanitize all values passed to updateEnvSettings() by stripping CRLF characters before writing to the .env file.
  • Add newline validation to the dbpassword parameter to prevent injection via this secondary vector.
  • Strengthen the InstallFilter by using more reliable indicators of installation completion (e.g., checking for database table existence or lock files) instead of relying on cache state.
  • Upgrade the ci4ms package to version 0.31.4.0 or later where this vulnerability is fixed.
Compliance Impact

The vulnerability allows attackers to inject arbitrary configuration directives into the .env file, potentially hijacking application URLs, disabling security settings, manipulating sessions, and causing denial of service. Such impacts can lead to unauthorized access, data breaches, and disruption of service.

These consequences may result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data, secure system configurations, and prevention of unauthorized access.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39394. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart