Skip to content

Uploaded file extension validation bypass in `ext_in` rule

Critical
paulbalandan published GHSA-2gr4-ppc7-7mhx May 20, 2026

Package

composer codeigniter4/framework (Composer)

Affected versions

< 4.7.2

Patched versions

4.7.3

Description

Impact

The ext_in upload validation rule checked the MIME-derived guessed extension instead of the client-provided filename extension. As a result, an uploaded file named shell.php containing GIF-like content could pass validation such as:

uploaded[avatar]|is_image[avatar]|mime_in[avatar,image/gif]|ext_in[avatar,gif]

because the detected MIME type maps to gif, even though the uploaded filename extension is php.

Applications are impacted if they:

  • accept user-controlled uploads,
  • rely on ext_in to validate the uploaded filename extension,
  • save uploaded files using the original client filename: $file->move($path),
  • store uploads in a web-accessible directory,
  • and allow PHP or other executable files to run from that directory.

In those conditions, this may lead to arbitrary code execution. The default application does not expose such an upload endpoint.

Patches

Upgrade to v4.7.3 or later.

Workarounds

  • Save uploads outside the public web root, preferably under writable/uploads
  • Use $file->store() or $file->move($path, $file->getRandomName()) instead of preserving the original filename
  • Disable script execution in any public upload directory
  • Manually verify the client filename extension before moving the file
  • Reject files when $file->getClientExtension() is not in the allowed list or does not match $file->guessExtension()

References

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2026-48062

Weaknesses

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. Learn more on MITRE.

Credits