CVE-2026-39394: CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller

April 8, 2026

The Install::index() controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings(), which writes it into the .env file via preg_replace(). Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the .env file. The install routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when cache('settings') is empty (cache expiry or fresh deployment).

References

github.com/advisories/GHSA-vfhx-5459-qhqh
github.com/ci4-cms-erp/ci4ms
github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vfhx-5459-qhqh
nvd.nist.gov/vuln/detail/CVE-2026-39394

Code Behaviors & Features

Detect and mitigate CVE-2026-39394 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →