Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss (TTL expiry or admin-triggered cache clear), the guard fails open, allowing an unauthenticated attacker to overwrite the .env file with attacker-controlled database credentials, achieving full application takeover. This vulnerability is fixed in 0.31.4.0.
Published: 2026-04-08
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: Full application takeover via .env file overwrite
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises when the CI4MS install route guard depends only on a volatile cache and the existence of an .env file to block post‑installation access. If the database becomes temporarily unreachable during a cache miss, the guard fails open, allowing an unauthenticated user to replace the .env file with attacker‑controlled database credentials. This leads to complete compromise of the application.

Affected Systems

Vendor ci4-cms-erp’s CI4MS product, versions earlier than 0.31.4.0, is affected. The issue persists until the guard is updated to version 0.31.4.0 or later.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web request to the installer endpoint after a temporary database outage, an event that is plausible in many hosting environments. Once exploited, the attacker gains full control of the application, making this a critical risk for any production installation.

Generated by OpenCVE AI on April 8, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ci4ms to version 0.31.4.0 or later
  • If upgrading immediately is not possible, remove or protect the install wizard route until the database connection is restored
  • Configure the .env file with restrictive file permissions so it cannot be overwritten by the web process
  • Regularly audit the .env file and application logs for unauthorized changes

Generated by OpenCVE AI on April 8, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8rh5-4mvx-xj7j CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass
History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Wed, 08 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss (TTL expiry or admin-triggered cache clear), the guard fails open, allowing an unauthenticated attacker to overwrite the .env file with attacker-controlled database credentials, achieving full application takeover. This vulnerability is fixed in 0.31.4.0.
Title Post-Installation Re-entry via Cache-Dependent Install Guard Bypass in ci4ms
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:31:44.692Z

Reserved: 2026-04-06T22:06:40.516Z

Link: CVE-2026-39393

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T15:16:14.210

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:18Z

Weaknesses