{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-39394/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-39394"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CI4MS"],"_cs_severities":["high"],"_cs_tags":["ci4ms","codeigniter","env-injection","cve-2026-39394"],"_cs_type":"advisory","_cs_vendors":["CI4MS"],"content_html":"\u003cp\u003eCI4MS is a CodeIgniter 4-based CMS skeleton designed to provide a production-ready, modular architecture with features like RBAC authorization and theme support. Versions prior to 0.31.4.0 contain a critical vulnerability (CVE-2026-39394) within the Install::index() controller. This controller reads the 'host' POST parameter without proper validation and passes it directly to the \u003ccode\u003eupdateEnvSettings()\u003c/code\u003e function. This function, in turn, uses \u003ccode\u003epreg_replace()\u003c/code\u003e to write the value into the .env file. The lack of newline character stripping in the input allows an attacker to inject arbitrary configuration directives. Furthermore, the installation routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when the \u003ccode\u003ecache('settings')\u003c/code\u003e is empty, such as during initial deployment or after cache expiry. This vulnerability allows unauthenticated attackers to modify the application's configuration, leading to potentially complete system compromise. CI4MS deployments are vulnerable until upgraded to version 0.31.4.0 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a POST request to the \u003ccode\u003e/install\u003c/code\u003e route with a malicious 'host' parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eInstall::index()\u003c/code\u003e controller receives the POST request.\u003c/li\u003e\n\u003cli\u003eThe controller bypasses CSRF protection due to it being explicitly disabled.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eInstallFilter\u003c/code\u003e is bypassed because the \u003ccode\u003ecache('settings')\u003c/code\u003e is empty (e.g., on a fresh deployment).\u003c/li\u003e\n\u003cli\u003eThe 'host' parameter, containing injected configuration directives with newline characters, is passed to the \u003ccode\u003eupdateEnvSettings()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eupdateEnvSettings()\u003c/code\u003e function uses \u003ccode\u003epreg_replace()\u003c/code\u003e to write the attacker-controlled 'host' parameter into the .env file without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected configuration directives are written into the .env file, modifying the application's configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker can now leverage the modified configuration for further malicious activities, such as gaining unauthorized access, escalating privileges, or injecting malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to inject arbitrary configuration directives into the .env file. This can lead to a wide range of consequences, including but not limited to: database credential compromise, modification of application behavior, remote code execution, and complete system takeover. The number of potential victims is dependent on the number of CI4MS deployments running vulnerable versions (pre-0.31.4.0). Targeted sectors are likely to be diverse, reflecting the broad range of applications for which CI4MS is used.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CI4MS to version 0.31.4.0 or later to patch CVE-2026-39394.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/install\u003c/code\u003e route containing newline characters in the 'host' parameter to detect potential exploitation attempts. Implement the provided Sigma rules to detect this activity.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on all user-supplied data, especially for parameters that are used to modify configuration files.\u003c/li\u003e\n\u003cli\u003eEnsure that CSRF protection is enabled and functioning correctly for all sensitive routes, including installation routes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-env-injection/","summary":"CI4MS versions prior to 0.31.4.0 are vulnerable to .env file injection via the Install::index() controller due to insufficient input validation and bypassed CSRF protection, allowing attackers to inject arbitrary configuration directives.","title":"CI4MS .env File Injection Vulnerability (CVE-2026-39394)","url":"https://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-env-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-39394","version":"https://jsonfeed.org/version/1.1"}