Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings(), which writes it into the .env file via preg_replace(). Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the .env file. The install routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when cache('settings') is empty (cache expiry or fresh deployment). This vulnerability is fixed in 0.31.4.0.
Published: 2026-04-08
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: CRLF injection into the .env file allowing arbitrary configuration directives to be written
Action: Immediate Patch
AI Analysis

Impact

CI4MS, a CodeIgniter 4-based CMS skeleton, suffers from a CRLF injection flaw in its installation controller. The controller accepts a host POST parameter without validation and feeds it into updateEnvSettings(), which writes into the .env file through a regular expression replacement. Because newline characters are retained, an attacker can insert arbitrary configuration lines into the environment file. This results in unintended changes to application settings, potentially altering behavior of the system. The weakness is classified as a CRLF injection (CWE‑93).

Affected Systems

The impact covers installations of ci4-cms-erp’s CI4MS version earlier than 0.31.4.0. The vulnerability is specific to the install routes where CSRF protection is explicitly disabled, and becomes reachable when the settings cache is empty during a fresh deployment or cache expiration. Only the install controller processes the host parameter in this manner, so systems that are already booted and have a populated cache are not affected by the injection path as defined.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity; no EPSS score is available and the issue is not listed in the KEV catalogue. The likely attack vector is a web request to the install endpoint with a crafted host POST value containing CRLF sequences, taking advantage of the missing CSRF check and the bypassable InstallFilter when the cache is empty. This path requires only a standard HTTP request from a remote party, so the risk is significant for publicly accessible installations that have not yet applied the patch.

Generated by OpenCVE AI on April 8, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CI4MS to 0.31.4.0 or newer
  • If an upgrade is not immediately possible, block or restrict access to the installation routes until the patch can be applied
  • Ensure that CSRF protection is enabled for any remaining installation functionality

Generated by OpenCVE AI on April 8, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vfhx-5459-qhqh CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller
History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings(), which writes it into the .env file via preg_replace(). Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the .env file. The install routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when cache('settings') is empty (cache expiry or fresh deployment). This vulnerability is fixed in 0.31.4.0.
Title CI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T16:13:10.966Z

Reserved: 2026-04-06T22:06:40.516Z

Link: CVE-2026-39394

cve-icon Vulnrichment

Updated: 2026-04-08T16:09:19.720Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T15:16:14.360

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39394

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:16Z

Weaknesses