Executive Summary
A critical file upload validation bypass has been disclosed in the CodeIgniter PHP framework, tracked as CVE-2026-48062 with a CVSS score of 9.8. The flaw exists in the ext_in upload validation rule within system/Validation/StrictRules/FileRules.php. Prior to version 4.7.3, the rule incorrectly validates the MIME-derived guessed extension rather than the client-provided filename extension, allowing an attacker to upload a PHP web shell (e.g. shell.php containing a GIF magic byte header) that passes validation as an image but is executed as PHP by the server.
CVSS Score: 9.8 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-48062 |
| CVSS Score | 9.8 (Critical) |
| Type | Improper Input Validation — File Upload (CWE-434) |
| Attack Vector | Network |
| Authentication | None required (depends on application) |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
Root Cause
The ext_in validation rule in FileRules.php was designed to restrict allowed file extensions. However, the rule evaluates the MIME-detected extension (inferred from the file's content/magic bytes) instead of the actual filename extension supplied by the client. An attacker can exploit this by:
- Naming a malicious PHP file
shell.php - Prepending a valid GIF magic byte sequence (
GIF89a) to the file content - The MIME detection sees
image/gif→ inferred extensiongif→ theext_in[gif,jpg,png]rule passes - The server stores the file as
shell.php— which PHP will execute on request
This is a classic polyglot file upload bypass that leads directly to Remote Code Execution on vulnerable web servers.
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| CodeIgniter | < 4.7.3 | 4.7.3 |
All CodeIgniter 4.x deployments using the ext_in validation rule for file uploads prior to 4.7.3 are vulnerable.
Exploitation Walkthrough
1. Attacker crafts shell.php with GIF magic bytes:
GIF89a<?php system($_GET['cmd']); ?>
2. Attacker uploads shell.php via any CodeIgniter file upload form
using the ext_in[gif,jpg,png] validation rule
3. ext_in checks MIME-derived extension → detects "gif" → PASSES
4. File is stored on server as shell.php
5. Attacker requests /uploads/shell.php?cmd=id → RCE achieved
Why This Is Severe
- No authentication required on many public-facing upload endpoints
- MIME spoofing is trivial — prepending magic bytes is a well-known technique
- Full RCE — arbitrary PHP execution on the web server
- Widely deployed framework — CodeIgniter powers a significant portion of legacy and modern PHP applications
Impact
Applications built on CodeIgniter that:
- Use the
ext_invalidation rule for file uploads - Allow user-submitted files to be stored in a web-accessible directory
- Run on servers where PHP can execute uploaded files (most shared hosting, many VPS setups)
...are at risk of complete server compromise through this vulnerability.
Remediation
Upgrade Immediately
Upgrade to CodeIgniter 4.7.3 which corrects the ext_in rule to validate against the client-provided filename extension rather than the MIME-derived extension.
composer update codeigniter4/frameworkVerify your version:
php spark --versionInterim Mitigations (if patching is delayed)
- Disable file uploads on publicly accessible forms until patched
- Replace
ext_inwithmime_infor validation — but combine with blocking PHP execution in upload directories (see below) - Configure web server to deny PHP execution in upload directories:
Nginx:
location ~* /uploads/.*\.php$ {
deny all;
}Apache .htaccess in uploads directory:
php_flag engine off- Store uploads outside the web root — serve through a controller that reads and streams the file rather than exposing the raw path
- Rename all uploaded files to a random UUID with no extension (or a safe extension) server-side, regardless of client-provided name
Detection
Signs of Exploitation
| Indicator | Description |
|---|---|
| PHP files in upload directories | Uploaded web shells |
| Unexpected outbound connections from web server | C2 communication post-exploitation |
| Anomalous process spawning from web server process | Command execution via shell |
Upload requests with .php extensions | Direct upload attempts |
Requests to /uploads/*.php paths | Web shell access attempts |
Log Review
Examine web server access logs for:
- POST requests to upload endpoints followed by GET requests to the same path with query parameters
- Repeated requests to
*.phpfiles in upload directories from the same source IP
Key Takeaways
- CVSS 9.8 Critical — trivial file upload bypass enables full RCE on CodeIgniter applications
- Polyglot exploit — GIF magic bytes bypass MIME detection; file is stored and executed as PHP
- Upgrade to 4.7.3 immediately — the fix corrects
ext_into check client filename extension - Disable PHP execution in upload directories as defense-in-depth, regardless of framework version
- Store uploads outside the web root as a permanent architectural hardening measure