Detect CVE-2026-48062: CodeIgniter4 File Upload Extension Validation Bypass (ext_in Rule) in Splunk
CVE-2026-48062 affects CodeIgniter4 framework versions prior to 4.7.2. The `ext_in` validation rule fails to properly validate file extensions during upload, allowing attackers to bypass extension restrictions and upload arbitrary files including web shells or malicious executables. This unrestricted file upload vulnerability (CWE-434) has a CVSS score of 9.8 and a public proof-of-concept. Successful exploitation can lead to remote code execution on the hosting server.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
SPL Detection Query
index=web OR index=os sourcetype IN ("access_combined", "syslog", "auditd", "inotify")
| eval upload_path=if(match(uri_path, "(?i)(upload|writable|tmp|cache|public)"), "true", "false")
| eval suspicious_ext=if(match(uri_path, "(?i)\.(php[0-9]?|phtml|phar|shtml|pht|asp|aspx|jsp)$"), "true", "false")
| where upload_path="true" AND suspicious_ext="true"
| eval method=upper(http_method)
| where method IN ("POST", "PUT")
| stats count as upload_count, values(src_ip) as source_ips, values(uri_path) as upload_paths, earliest(_time) as first_seen, latest(_time) as last_seen by host, method
| where upload_count > 0
| eval risk_score=if(upload_count > 5, "HIGH", "MEDIUM")
| table host, source_ips, upload_paths, upload_count, first_seen, last_seen, risk_score
| sort -upload_countDetects HTTP POST/PUT requests uploading files with suspicious extensions (PHP, PHTML, PHAR, etc.) to CodeIgniter4 upload directories, indicating potential exploitation of the ext_in validation bypass vulnerability.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Web developers legitimately uploading PHP include files through authorized CMS interfaces
- Automated deployment pipelines pushing PHP assets to upload directories
- Security scanners performing authorized vulnerability assessments against web applications
- Load balancer health check probes matching URI patterns
Other platforms for CVE-2026-48062
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate CodeIgniter4 ext_in Bypass via Crafted Multipart Upload
Expected signal: HTTP POST to upload endpoint with Content-Type image/jpeg but .php file extension; file creation event in upload directory for a .php file; web server process as the initiating process for the file write
- Test 2Web Shell Execution Verification After Upload
Expected signal: HTTP GET requests to PHP file path in upload directory; process tree showing web server (apache2/nginx/php-fpm) spawning shell or system binaries (id, whoami, uname); network connections to external IP if reverse shell payload used
- Test 3Filesystem Reconnaissance via Uploaded Web Shell
Expected signal: Process events for cat, ls, find spawned by php-fpm or apache2 with web server UID; file read events on /etc/passwd and .env files initiated by web server process; auditd SYSCALL records for execve by www-data user
References (6)
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-2gr4-ppc7-7mhx
- https://github.com/codeigniter4/CodeIgniter4/commit/29299349e7d232e9532767c7cefaed30957309be
- https://codeigniter.com/user_guide/libraries/uploaded_files.html#moving-files
- https://codeigniter.com/user_guide/libraries/validation.html#rules-for-file-uploads
- https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md
- https://github.com/advisories/GHSA-2gr4-ppc7-7mhx
Unlock Pro Content
Get the full detection package for CVE-2026-48062 including response playbook, investigation guide, and atomic red team tests.