CI4MS patches install-route re-entry enabling .env overwrite
TL;DR — A cache-dependent install guard in ci4ms can fail open, letting unauthenticated attackers re-run the installer and overwrite the application’s .env during certain outage windows, enabling full takeover.
What happened
CI4MS is a CodeIgniter 4-based CMS skeleton intended to provide a production-ready, modular architecture (including RBAC and theme support). CVE-2026-39393 describes a post-installation re-entry flaw where the install route guard relies on a volatile cache check (cache('settings')) plus .env existence to block access to the setup wizard.
When the database is temporarily unreachable during a cache miss (e.g., TTL expiry or cache clear), the guard can fail open, allowing an unauthenticated attacker to access the installer and overwrite the .env file with attacker-controlled database credentials, resulting in full application takeover.
| Item | Source value |
|---|---|
| Affected product | ci4-cms-erp/ci4ms |
| Affected versions | < 0.31.4.0 |
| Impact (per advisory/CVE) | Overwrite .env with attacker-controlled DB creds; full application takeover |
| Severity | CVSS v3.1 8.1 (High) |
| Primary reference | GHSA-8rh5-4mvx-xj7j |
This is operationally nasty because it turns a common reliability event (DB outage + cache miss) into an attacker-controlled “maintenance window” for configuration takeover — and installer endpoints are frequently exposed by default on internet-facing CMS deployments.
Who is impacted
- Deployments running
ci4msversions< 0.31.4.0. - Environments where the install route is reachable post-deploy (e.g.,
/install). - Higher-risk scenarios where a cache miss can coincide with a temporary database outage, creating a window where the install guard can fail open (as described in the advisory and CVE).
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
"This vulnerability is fixed in 0.31.4.0."
- Confirm whether
installroutes are reachable in production, and treat any unexpected installer reachability as a high-signal misconfiguration. - Review deployment/runbooks for conditions that can trigger the vulnerable window (database maintenance, connection exhaustion, network partitions) and assume those windows may be attacker-observable.
- If compromise is suspected (e.g., unexpected
.envchanges or unexpected DB host changes), rotate secrets reachable via.envand investigate for data exfiltration via attacker-controlled database endpoints.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.