Platform
php
Component
ci4ms
Fixed in
0.31.5
CVE-2026-39393 is a high-severity vulnerability affecting CI4MS, a CodeIgniter 4-based CMS skeleton. This flaw allows an unauthenticated attacker to overwrite the critical .env file, potentially gaining full control over the database. The vulnerability impacts versions 0.0.0 through 0.31.3. A fix is available in version 0.31.4.
The primary impact of CVE-2026-39393 is the potential for complete database compromise. By overwriting the .env file, an attacker can inject malicious database credentials, effectively gaining full administrative access to the CI4MS installation. This could lead to data exfiltration, modification, or deletion, as well as the ability to execute arbitrary code on the server. The attack hinges on a race condition where a cache miss occurs during the setup process, preventing the guard from properly validating access. This is particularly concerning for installations that experience intermittent database connectivity issues or where the cache is frequently cleared.
CVE-2026-39393 was publicly disclosed on 2026-04-08. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's straightforward nature suggests it could be easily exploited. The EPSS score is likely to be assessed as medium due to the relatively simple exploitation path and potential impact.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39393 is to immediately upgrade CI4MS to version 0.31.4 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by ensuring the database is consistently available during the setup process. This might involve increasing the cache TTL or implementing a more robust database connection check within the install route guard. Web application firewalls (WAFs) configured to detect and block attempts to modify the .env file could also provide a layer of defense. Monitor CI4MS logs for any unusual activity, particularly attempts to access the setup wizard.
Update to version 0.31.4 or higher to fix the vulnerability. This version implements a more robust validation to prevent unauthorized access to the installer after installation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39393 is a high-severity vulnerability in CI4MS versions 0.0.0 - <0.31.4.0 that allows attackers to overwrite the .env file, potentially gaining database credentials.
If you are running CI4MS version 0.0.0 through 0.31.3, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade CI4MS to version 0.31.4 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no confirmed active exploitation of CVE-2026-39393, but the vulnerability's simplicity suggests it could be exploited.
Refer to the official CI4MS security advisory for detailed information and updates regarding CVE-2026-39393.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.