CVE-2026-39393
Published: 08 April 2026
Summary
CVE-2026-39393 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations preventing unauthorized access to the setup wizard even during cache misses or database unavailability.
Implements a tamper-proof reference monitor that mediates all access to critical functions like the install route without failing open.
Requires fail-safe procedures for system failures such as cache expiry or DB unreachability to ensure the guard does not permit access to the setup wizard.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated network access to a critical setup wizard in a public-facing CMS by bypassing the install guard, directly enabling T1190 (Exploit Public-Facing Application) for initial access and full application takeover via .env modification.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file…
more
existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss (TTL expiry or admin-triggered cache clear), the guard fails open, allowing an unauthenticated attacker to overwrite the .env file with attacker-controlled database credentials, achieving full application takeover. This vulnerability is fixed in 0.31.4.0.
Deeper analysisAI
CVE-2026-39393 affects CI4MS, a CodeIgniter 4-based CMS skeleton providing a production-ready, modular architecture with RBAC authorization and theme support, in versions prior to 0.31.4.0. The vulnerability resides in the install route guard, which relies solely on a volatile cache check via cache('settings') combined with the existence of the .env file to prevent post-installation access to the setup wizard. During a cache miss—such as TTL expiry or an admin-triggered cache clear—if the database is temporarily unreachable, the guard fails open, exposing the setup functionality.
An unauthenticated attacker can exploit this over the network with high attack complexity and no user interaction required, as indicated by the CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). By triggering or waiting for a cache miss and ensuring database unavailability, the attacker gains access to the setup wizard and overwrites the .env file with attacker-controlled database credentials, resulting in full application takeover with high impacts on confidentiality, integrity, and availability. This issue stems from CWE-306 (Missing Authentication for Critical Function).
The vulnerability is addressed in CI4MS version 0.31.4.0. Additional details on the fix and mitigation are available in the GitHub security advisory at https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8rh5-4mvx-xj7j, published on 2026-04-08.
Details
- CWE(s)