CVE-2026-39393

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.4.0

Description The install route guard in CI4MS relies on a cache check and the existence of a .env file to prevent access to the setup wizard after installation. If the database is temporarily unreachable when the cache expires or is cleared, the guard fails, allowing an unauthenticated attacker to overwrite the .env file with malicious database credentials, leading to full application takeover. The vulnerable code is located in InstallFilter::before() at modules/Install/Filters/InstallFilter.php:13 and app/Config/Filters.php:128-151. The InstallFilter::before() method checks both .env file existence AND a non-empty cache. The cache population attempts to read from the database, and any exception during this process is silently caught, leaving the cache empty. The install controller at modules/Install/Controllers/Install.php:10-87 processes POST requests without validating the host parameter, directly writing it to the .env file. CSRF protection is disabled for install routes. The cache has a 24-hour TTL and is cleared by multiple admin actions, creating recurring windows of vulnerability. Exploitation requires a temporary database outage coinciding with cache expiry. The impact includes full application takeover, credential theft, data integrity loss, and encryption key reset.

Recommendations Replace the cache-based install guard with a persistent filesystem lock. Create a lock file at the end of successful installation in Install::dbsetup(). Add validation for the host parameter in Install::index().