CVE-2026-48062: CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule
The ext_in upload validation rule checked the MIME-derived guessed extension instead of the client-provided filename extension. As a result, an uploaded file named shell.php containing GIF-like content could pass validation such as:
uploaded[avatar]|is_image[avatar]|mime_in[avatar,image/gif]|ext_in[avatar,gif]
because the detected MIME type maps to gif, even though the uploaded filename extension is php.
Applications are impacted if they:
- accept user-controlled uploads,
- rely on
ext_into validate the uploaded filename extension, - save uploaded files using the original client filename:
$file->move($path), - store uploads in a web-accessible directory,
- and allow PHP or other executable files to run from that directory.
In those conditions, this may lead to arbitrary code execution. The default application does not expose such an upload endpoint.
References
- codeigniter.com/user_guide/libraries/uploaded_files.html
- codeigniter.com/user_guide/libraries/validation.html
- github.com/advisories/GHSA-2gr4-ppc7-7mhx
- github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md
- github.com/codeigniter4/CodeIgniter4/commit/29299349e7d232e9532767c7cefaed30957309be
- github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-2gr4-ppc7-7mhx
- nvd.nist.gov/vuln/detail/CVE-2026-48062
Code Behaviors & Features
Detect and mitigate CVE-2026-48062 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →