A maximum-severity vulnerability has been discovered in the CodeIgniter4 PHP framework that allows attackers to bypass file upload validation entirely and achieve remote code execution (RCE) on vulnerable web applications.
Tracked as CVE-2026-48062 and published via GitHub Security Advisory GHSA-2gr4-ppc7-7mhx, the flaw carries the highest possible CVSS v3.1 score, reflecting its network-exploitable, zero-interaction attack surface.
The vulnerability stems from a subtle but dangerous logic error in how CodeIgniter4’s ext_in validation rule evaluates uploaded files.
Rather than checking the client-provided filename extension, the rule incorrectly validates the MIME-derived guessed extension, a distinction that creates a critical security gap.
In practice, an attacker can craft a file named shell.php containing GIF-like binary content. When submitted through an upload form, the framework reads the MIME type as image/gif and maps the guessed extension to gif. A validation chain such as:
uploaded[avatar]|is_image[avatar]|mime_in[avatar,image/gif]|ext_in[avatar,gif]passes without error even though the actual stored filename carries a .php extension. This mismatch between what the server believes it received and what it actually stored is the core of the exploit.
The weakness is classified under CWE-434: Unrestricted Upload of File with Dangerous Type, a persistent entry in OWASP’s top web application risks.
Not every CodeIgniter4 deployment is automatically at risk. Successful exploitation requires five conditions to align simultaneously:
- The application accepts user-controlled file uploads
ext_inserves as the primary extension validation mechanism- Uploaded files are saved using the original client-provided filename via
$file->move($path) - Files are stored in a web-accessible directory
- PHP or other server-side script execution is permitted from that directory
When all five conditions are met, a remote, unauthenticated attacker can upload a weaponized PHP webshell disguised as an image and directly execute arbitrary commands on the underlying server by browsing to the file.
All CodeIgniter4 versions prior to 4.7.2 are affected. The vulnerability was patched in version 4.7.3, released by maintainer Paulbalandan. Development teams should upgrade immediately.
Mitigations
For teams unable to patch right away, several measures significantly reduce exposure:
- Move upload storage off the web root — storing files under
writable/uploadsprevents browser-accessible webshells even if a malicious file is uploaded successfully - Randomize filenames — replace
$file->move($path)with$file->store()or$file->move($path, $file->getRandomName())to eliminate attacker-controlled filenames - Disable PHP execution in upload directories — enforce this at the server configuration level for a strong defensive layer
- Manually validate extensions — verify that
$file->getClientExtension()matches an allowlist and aligns with$file->guessExtension()before moving any uploaded file
The vulnerability was responsibly reported by security researcher z3moo, with additional contributions from teebow1e.
Organizations relying on CodeIgniter4 for any file upload functionality should treat CVE-2026-48062 as a critical priority patch. The combination of zero-privilege access, network-reachable attack surface, and a direct path to full server compromise makes this one of the more severe PHP framework vulnerabilities disclosed this year.
No Comment! Be the first one.