CVE-2026-41890: CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess
(updated )
The deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted.
The deleteConfirm view correctly populates tables[] from the theme’s own migration files, but the server-side deleteProcess does not verify the received values against those files. An authenticated admin can craft a POST request with arbitrary table names and drop any table in the database.
This is a real bug even within the admin trust model: the action should be scoped to the theme’s own tables. The permission grants delete this theme’s data", not “drop any table”.
References
- github.com/advisories/GHSA-vgrf-pr28-vf98
- github.com/ci4-cms-erp/ci4ms
- github.com/ci4-cms-erp/ci4ms/commit/2f38284281ce6b435ea42003951f14109ac2cea7
- github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0
- github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vgrf-pr28-vf98
- nvd.nist.gov/vuln/detail/CVE-2026-41890
Code Behaviors & Features
Detect and mitigate CVE-2026-41890 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →