Yii 2 Local File Inclusion via View Parameter Name Collision (CVE-2026-39850)

Yii 2, a PHP framework, is vulnerable to a local file inclusion (LFI) vulnerability (CVE-2026-39850) affecting versions prior to 2.0.55. The vulnerability lies within the View::renderPhpFile() method, where the code calls extract($_params_, EXTR_OVERWRITE) before including the view file. This allows an attacker to control the _file_ parameter within the $params array and overwrite the internal local variable that dictates which file is included. This vulnerability can be exploited to read arbitrary files on the server. If an attacker possesses the capability to write PHP files to the server through a separate vulnerability or misconfiguration, they could potentially leverage this LFI to achieve remote code execution (RCE). This vulnerability impacts systems using the vulnerable versions of the Yii 2 framework and highlights the risks associated with uncontrolled variable extraction.

Attack Chain

1. The attacker identifies a Yii 2 application running a version prior to 2.0.55.
2. The attacker discovers a page or functionality that uses the View::renderPhpFile() method to render a view.
3. The attacker crafts a request to this page, including a _file_ parameter within the $params array.
4. The extract($_params_, EXTR_OVERWRITE) function within View::renderPhpFile() is called.
5. The attacker-controlled _file_ parameter overwrites the internal $file variable, which should point to the intended view file.
6. The require statement then includes the file specified by the attacker-controlled _file_ parameter.
7. If the attacker specifies a path to an existing file, the contents of that file are exposed.
8. If the attacker can also write PHP code to the server (via another vulnerability or misconfiguration), the attacker can specify the path to that file, resulting in arbitrary code execution.

Impact

Successful exploitation of this vulnerability allows attackers to read arbitrary files on the server. This can lead to information disclosure, including sensitive configuration files, source code, or user data. Furthermore, if an attacker can upload or create PHP files on the server, they can leverage this LFI vulnerability to achieve remote code execution, potentially leading to full system compromise. The number of potential victims depends on the number of applications using vulnerable versions of Yii 2.

Recommendation

• Upgrade to Yii 2 version 2.0.55 or later to patch CVE-2026-39850.
• Deploy the Sigma rule “Detect Yii2 LFI via file parameter overwrite” to your SIEM to detect exploitation attempts.
• Review application code that uses View::renderPhpFile() and ensure that user-supplied input is not directly used to construct the $params array, specifically the _file_ parameter.