GHSA-g6v3-wv4j-x9hgMediumCVSS 4.9

October Rain has Environment Variable Exfiltration via INI Parser Interpolation

Published
April 14, 2026
Last Modified
June 16, 2026

🔗 CVE IDs covered (1)

📋 Description

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parse_ini_string() function supports ${} syntax for environment variable interpolation. Attackers with Editor access could inject ${APP_KEY}, ${DB_PASSWORD}, or similar patterns into CMS page settings fields, causing sensitive environment variables to be resolved and stored in the template. These values were then returned to the attacker when the page was reopened.

Impact

  • Exfiltration of sensitive environment variables (APP_KEY, DB credentials, AWS keys, etc.)
  • Could enable further attacks: database access, cookie forgery, AWS resource access
  • Requires authenticated backend access with Editor permissions
  • Only relevant when cms.safe_mode is enabled (otherwise direct PHP injection is already possible)

Patches

The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.

Workarounds

If upgrading immediately is not possible:

  • Restrict Editor tool access to fully trusted administrators only
  • Ensure database and cloud service credentials are not accessible from the web server's network

References

  • Reported by Pentest-Tools.com

🎯 Affected products2

  • composer/october/rain:>= 4.0.0, <= 4.1.9
  • composer/october/rain:<= 3.7.13

🔗 References (3)