{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-39393/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-39393"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CI4MS"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-39393","CI4MS","CodeIgniter","Remote Code Execution","Unauthenticated Access"],"_cs_type":"advisory","_cs_vendors":["CI4MS"],"content_html":"\u003cp\u003eCI4MS, a CodeIgniter 4-based CMS skeleton, is vulnerable to a critical security flaw (CVE-2026-39393) in versions prior to 0.31.4.0. The vulnerability stems from an insufficient install route guard mechanism. This guard, designed to prevent unauthorized access to the setup wizard after installation, relies on a combination of a volatile cache check (\u003ccode\u003ecache('settings')\u003c/code\u003e) and the presence of the \u003ccode\u003e.env\u003c/code\u003e file. When the database becomes temporarily unreachable, leading to a cache miss (either due to TTL expiry or manual cache clearing), the route guard fails open. This failure enables an unauthenticated attacker to access the setup wizard and overwrite the \u003ccode\u003e.env\u003c/code\u003e file with maliciously crafted database credentials. Successful exploitation leads to complete application takeover. The vulnerability was patched in version 0.31.4.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe target CI4MS instance experiences a database outage or becomes temporarily unreachable.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecache('settings')\u003c/code\u003e check in the install route guard fails due to a cache miss caused by the database outage.\u003c/li\u003e\n\u003cli\u003eThe flawed logic in the route guard incorrectly determines that the application is not yet installed.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated attacker accesses the \u003ccode\u003e/install\u003c/code\u003e route, bypassing the intended security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker interacts with the setup wizard, providing malicious database credentials.\u003c/li\u003e\n\u003cli\u003eThe application proceeds to overwrite the existing \u003ccode\u003e.env\u003c/code\u003e file with the attacker-supplied database configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full administrative access to the CI4MS application using the newly configured database credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker can then execute arbitrary code, modify content, and compromise sensitive data within the CI4MS application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39393 allows an unauthenticated attacker to achieve full application takeover of CI4MS instances running versions prior to 0.31.4.0. This can lead to complete data breaches, website defacement, and potential compromise of the underlying server. The severity is critical due to the ease of exploitation and the potential for widespread damage. The number of affected systems depends on the number of CI4MS installations that have not been upgraded to version 0.31.4.0 or later.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all CI4MS installations to version 0.31.4.0 or later to patch CVE-2026-39393.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring for unusual access attempts to the \u003ccode\u003e/install\u003c/code\u003e route on CI4MS instances.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CI4MS Install Route Access\u003c/code\u003e to detect unauthorized access attempts to the vulnerable installation route.\u003c/li\u003e\n\u003cli\u003eReview webserver logs for POST requests to the \u003ccode\u003e/install\u003c/code\u003e route with parameters suggestive of database configuration changes. Use the Sigma rule \u003ccode\u003eDetect CI4MS Env Overwrite\u003c/code\u003e as a starting point.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-ci4ms-takeover/","summary":"CI4MS versions before 0.31.4.0 are vulnerable to unauthenticated takeover due to a flawed install route guard that allows overwriting the .env file with attacker-controlled database credentials when the database is temporarily unreachable.","title":"CI4MS Unauthenticated .env Overwrite Vulnerability (CVE-2026-39393)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-ci4ms-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed - CVE-2026-39393","version":"https://jsonfeed.org/version/1.1"}