CVE-2026-25125: October Rain has Environment Variable Exfiltration via INI Parser Interpolation

April 14, 2026 (updated May 8, 2026)

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP’s parse_ini_string() function supports ${} syntax for environment variable interpolation. Attackers with Editor access could inject ${APP_KEY}, ${DB_PASSWORD}, or similar patterns into CMS page settings fields, causing sensitive environment variables to be resolved and stored in the template. These values were then returned to the attacker when the page was reopened.

References

github.com/advisories/GHSA-g6v3-wv4j-x9hg
github.com/octobercms/october
github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg
nvd.nist.gov/vuln/detail/CVE-2026-25125

Code Behaviors & Features

Detect and mitigate CVE-2026-25125 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →