CVE-2026-39389

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.4.0

Description CI4MS, a CodeIgniter 4-based CMS skeleton, is susceptible to sensitive file access and manipulation. The Fileeditor controller defines a list of security-sensitive paths (.env, composer.json, vendor/, .git/) in the hiddenItems array, but this protection is only enforced in the listFiles() method. The readFile(), saveFile(), deleteFileOrFolder(), renameFile(), createFile(), and createFolder() endpoints lack this validation, allowing direct API access to protected files. A backend user with fileeditor.read permission can potentially exfiltrate application secrets from .env, and a user with fileeditor.update permission can overwrite composer.json to achieve remote code execution. CSRF protection is disabled for all fileeditor routes, increasing the risk of exploitation. A proof of concept demonstrates reading the .env file, reading PHP configuration files, overwriting composer.json for remote code execution, and deleting the .env file. The impact includes credential disclosure, remote code execution, denial of service, and a false security boundary.

Recommendations Apply hiddenItems validation to all endpoints that accept a path parameter. Extract the check into a reusable method and also add allowedFileTypes to readFile(). Re-enable CSRF protection by removing the CSRF exemption in FileeditorConfig.php and ensuring the frontend sends CSRF tokens with requests.