Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.
Published: 2026-04-08
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: Authorization bypass enabling arbitrary read and write of protected files
Action: Patch Immediately
AI Analysis

Impact

CI4MS incorporated a FileEditor module that contains hidden items. An attacker who can bypass the RBAC checks can read secret files and modify protected files, thereby compromising confidentiality and integrity of the system. The weakness is mapped to CWE‑285, indicating an unauthorized access vulnerability.

Affected Systems

The vulnerability affects installations of CI4MS—an open‑source CodeIgniter 4 based CMS skeleton—running any version prior to 0.31.4.0. The affected vendor is Ci4‑Cms‑Erp. Current users should verify that their deployment is at or above this version.

Risk and Exploitability

The CVSS score of 6.7 reflects a moderate severity. EPSS information is not available, and the issue is not listed in the CISA KEV catalog, suggesting limited current exploitation. The likely attack vector is through the web interface; an attacker must obtain a user session that can reach the FileEditor or exploit a flaw that reveals hidden items. Once the authorization check is bypassed, the attacker can read sensitive configuration or application files and overwrite critical protected files.

Generated by OpenCVE AI on April 8, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CI4MS to version 0.31.4.0 or newer.

Generated by OpenCVE AI on April 8, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9rxp-f27p-wv3h CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files
History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Wed, 08 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.
Title CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:28:29.847Z

Reserved: 2026-04-06T22:06:40.515Z

Link: CVE-2026-39389

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T15:16:13.587

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:22Z

Weaknesses