CVE-2026-41890: CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess

May 4, 2026 (updated May 8, 2026)

The deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted.

The deleteConfirm view correctly populates tables[] from the theme’s own migration files, but the server-side deleteProcess does not verify the received values against those files. An authenticated admin can craft a POST request with arbitrary table names and drop any table in the database.

This is a real bug even within the admin trust model: the action should be scoped to the theme’s own tables. The permission grants delete this theme’s data", not “drop any table”.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-41890 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →