CVE-2026-41202 Overview
CVE-2026-41202 is a path traversal vulnerability [CWE-22] in CI4MS, a CodeIgniter 4-based content management system (CMS) skeleton with role-based access control (RBAC) and theme support. The flaw exists in the Backup::restore function, which extracts user-uploaded ZIP archives without validating entry names. An authenticated backend user with the backup create permission can exploit this Zip Slip weakness to write files outside the intended extraction directory. Attackers chain this primitive with a PHP file dropped under the public web root to achieve remote code execution. The issue affects CI4MS versions prior to 0.31.5.0 and is patched in version 0.31.5.0.
Critical Impact
Authenticated attackers with backup permissions can execute arbitrary PHP code on the server, fully compromising the host application.
Affected Products
- CI4MS versions prior to 0.31.5.0
- CodeIgniter 4-based deployments using the CI4MS skeleton
- Backend user accounts holding the backup create permission
Discovery Timeline
- 2026-05-07 - CVE-2026-41202 published to the National Vulnerability Database (NVD)
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-41202
Vulnerability Analysis
The vulnerability resides in the Backup::restore routine of CI4MS. When an authenticated administrator uploads a ZIP archive for restoration, the application iterates through archive entries and writes each file to disk. The extraction logic does not normalize or sanitize entry names before joining them with the destination path. An attacker who controls the ZIP contents can include entries with traversal sequences such as ../../../public/shell.php to escape the backup directory.
Because CI4MS exposes a public web root that executes PHP, dropping a .php payload under that directory results in immediate code execution when the file is requested over HTTP. The attacker requires only a single permission, backup create, rather than full administrative privilege, expanding the population of accounts that can trigger the issue.
Root Cause
The root cause is missing validation of ZIP entry names during archive extraction. The implementation trusts archive metadata and passes entry paths to filesystem write operations without verifying that the resolved destination remains inside the intended extraction directory. This pattern is the canonical Zip Slip vulnerability class, mapped to [CWE-22] Improper Limitation of a Pathname to a Restricted Directory.
Attack Vector
Exploitation proceeds in three steps. First, the attacker authenticates to the CI4MS backend with an account holding the backup create permission. Second, the attacker submits a malicious ZIP archive through the backup restore interface containing a PHP payload with a path traversal entry name targeting the public/ directory. Third, the attacker requests the dropped PHP file through the web server, triggering execution under the PHP-FPM or web server user context.
For implementation details, refer to the GitHub Security Advisory GHSA-xp9f-pvvc-57p4.
Detection Methods for CVE-2026-41202
Indicators of Compromise
- Unexpected .php files appearing under the CI4MS public/ web root with recent modification timestamps
- ZIP archive uploads containing entry names with ../ traversal sequences in backup restore logs
- HTTP requests to PHP files with unusual names located outside expected application directories
- Backend audit log entries showing backup restore actions followed by anomalous web requests from the same source IP
Detection Strategies
- Inspect uploaded ZIP archives for entries whose normalized paths resolve outside the configured backup directory
- Compare the inventory of files under public/ against the known application manifest to identify foreign PHP files
- Correlate authenticated backend actions on the backup restore endpoint with subsequent web shell access patterns
Monitoring Recommendations
- Enable file integrity monitoring on the CI4MS public/ and application root directories
- Log every invocation of Backup::restore with the authenticated user, source IP, and archive checksum
- Alert on PHP file creation events under web-accessible directories outside scheduled deployments
How to Mitigate CVE-2026-41202
Immediate Actions Required
- Upgrade CI4MS to version 0.31.5.0 or later, which contains the official fix
- Audit backend accounts and remove the backup create permission from any user that does not require it
- Review the public/ directory and application root for unauthorized PHP files and remove any foreign artifacts
- Rotate credentials and session tokens for any backend account that may have been used to upload untrusted archives
Patch Information
The maintainers patched the vulnerability in CI4MS Release 0.31.5.0. The fix validates ZIP entry names during extraction so that resolved paths cannot escape the destination directory. Administrators should apply this release through their normal deployment process and verify the version after upgrade.
Workarounds
- Disable the backup restore feature until the patched version is deployed
- Restrict access to the backup management endpoints with network-level controls such as IP allowlists
- Configure the web server to deny PHP execution outside explicitly approved directories
- Run the CI4MS process under a least-privilege user account that cannot write to sensitive system paths
# Configuration example: deny PHP execution in unintended directories (nginx)
location ~* /(writable|backup)/.*\.php$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
