EUVD-2026-20487
GHSA-8rh5-4mvx-xj7j
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss (TTL expiry or admin-triggered cache clear), the guard fails open, allowing an unauthenticated attacker to overwrite the .env file with attacker-controlled database credentials, achieving full application takeover. This vulnerability is fixed in 0.31.4.0.
Analysis
Remote attackers can achieve full application takeover in CI4MS (CodeIgniter 4 CMS skeleton) versions prior to 0.31.4.0 by exploiting a fail-open authentication bypass in the installation route guard. When cache expires or database connectivity fails, unauthenticated attackers can re-access the setup wizard to overwrite .env configuration with malicious database credentials, gaining complete control of the application. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all CI4MS deployments and identify instances running versions prior to 0.31.4.0; immediately restrict network access to installation routes (/setup or equivalent) via firewall or WAF rules. Within 7 days: upgrade all CI4MS instances to version 0.31.4.0 or later per vendor advisory. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today