CVE-2026-39393 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 8, 2026
CI4MS - Broken Access Control
Published: April 8, 2026Updated: April 8, 2026Remote Exploitable
Overview
CI4MS < 0.31.4.0 contains a broken access control vulnerability caused by reliance on volatile cache and .env file existence in the install route guard, letting unauthenticated attackers overwrite .env and take over the application, exploit requires database unavailability during cache miss.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Unauthenticated attackers can overwrite configuration files and take full control of the application.
Mitigation
Update to version 0.31.4.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-39393
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_access_control
- Status
- new
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H