Cyber Posture

CVE-2026-39389

MediumPublic PoC

Published: 08 April 2026

Published
08 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score 6.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0002 5.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39389 is a medium-severity Improper Authorization (CWE-285) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly enforces approved authorizations for access to system resources, comprehensively mitigating the improper authorization enforcement flaw in CVE-2026-39389.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of system flaws, directly addressing this CVE by mandating upgrades to CI4MS version 0.31.4.0 or later.

AC-6 Least Privilege partial match
prevent

Employs least privilege to restrict high-privilege users from performing actions beyond their authorized scope, reducing the exploitability and impact of this RBAC authorization vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Improper authorization (CWE-285) in this web-based CMS allows attackers with existing high privileges to perform unauthorized actions beyond their intended access, directly enabling exploitation for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.

Deeper analysisAI

CVE-2026-39389 is an improper authorization vulnerability (CWE-285) in CI4MS, a CodeIgniter 4-based CMS skeleton that provides a production-ready, modular architecture with RBAC authorization and theme support. The issue affects versions prior to 0.31.4.0 and was published on 2026-04-08. It has a CVSS v3.1 base score of 6.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L).

The vulnerability can be exploited over the network by attackers with high privileges, requiring low attack complexity and no user interaction. Successful exploitation enables high impacts on confidentiality and integrity, with a low impact on availability, potentially allowing unauthorized access or actions beyond the attacker's privileges due to improper authorization enforcement.

The GitHub security advisory (GHSA-9rxp-f27p-wv3h) at https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-9rxp-f27p-wv3h details the issue, with mitigation achieved by upgrading to version 0.31.4.0 or later.

Details

CWE(s)
CWE-285

Affected Products

ci4-cms-erp
ci4ms
≤ 0.31.4.0

CVEs Like This One

CVE-2026-34558Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-25510Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34571Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34557Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34562Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34559Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-39393Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34569Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-39394Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34567Same product: Ci4-Cms-Erp Ci4Ms

References