CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0,…

CI4MS, a CodeIgniter 4-based CMS skeleton, contains a critical vulnerability in versions prior to 0.31.4.0. The install route guard relies solely on volatile cache checks and .env file existence to prevent post-installation access to the setup wizard. When the database becomes temporarily unreachable during cache misses (TTL expiry or admin-triggered cache clear), the security guard fails open. This allows unauthenticated attackers to overwrite the .env file with malicious database credentials, resulting in complete application takeover. The vulnerability has been patched in version 0.31.4.0.