CVE-2026-39394
Published: 08 April 2026
Summary
CVE-2026-39394 is a high-severity CRLF Injection (CWE-93) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of the untrusted 'host' POST parameter to block newline characters and prevent injection of arbitrary directives into the .env file.
Enforces restrictions on the 'host' input to limit it to valid formats, excluding newlines and other malicious payloads that enable .env injection.
Mandates timely identification, reporting, and remediation of the input validation flaw, such as patching to CI4MS version 0.31.4.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote exploit in a public-facing web application (CI4MS CMS install endpoint) allowing arbitrary .env configuration modification, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings(), which…
more
writes it into the .env file via preg_replace(). Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the .env file. The install routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when cache('settings') is empty (cache expiry or fresh deployment). This vulnerability is fixed in 0.31.4.0.
Deeper analysisAI
CVE-2026-39394 is a newline injection vulnerability (CWE-93) in CI4MS, a CodeIgniter 4-based CMS skeleton providing production-ready modular architecture with RBAC authorization and theme support. In versions prior to 0.31.4.0, the Install::index() controller reads the "host" POST parameter without validation and passes it directly to updateEnvSettings(), which writes it into the .env file using preg_replace(). Since newline characters are not stripped from the input, this allows injection of arbitrary configuration directives into the .env file. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-08.
An unauthenticated remote attacker can exploit this during the installation process or on fresh deployments where cache('settings') is empty, bypassing the InstallFilter. Install routes explicitly disable CSRF protection, enabling the attack with high complexity but no privileges or user interaction required. Successful exploitation allows arbitrary modification of the .env file, potentially granting full control over the application's configuration, leading to high impacts on confidentiality, integrity, and availability.
The vulnerability is fixed in CI4MS version 0.31.4.0. Details are available in the GitHub security advisory at https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vfhx-5459-qhqh.
Details
- CWE(s)