CVE-2026-25125: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in octobercms october
OctoberCMS versions prior to 3. 7. 14 and 4. 1. 10 have a server-side information disclosure vulnerability in the INI settings parser. Attackers with Editor access can inject environment variable interpolation patterns into CMS page settings, causing sensitive environment variables such as database passwords and application keys to be exposed. This vulnerability is relevant only when cms. safe_mode is enabled. It has been fixed in versions 3. 7.
AI Analysis
Technical Summary
OctoberCMS contains a vulnerability in its INI settings parser due to the use of PHP's parse_ini_string() function, which supports environment variable interpolation via ${} syntax. Attackers with Editor privileges can inject patterns like ${APP_KEY} or ${DB_PASSWORD} into CMS page settings fields, causing sensitive environment variables to be resolved and stored in the template. When the page is reopened, these secrets are returned to the attacker, enabling exfiltration of credentials such as database passwords, AWS keys, and application keys. This vulnerability applies only when cms.safe_mode is enabled, as otherwise direct PHP injection is already possible. The issue is fixed in OctoberCMS versions 3.7.14 and 4.1.10.
Potential Impact
Successful exploitation allows an attacker with Editor access to disclose sensitive environment variables, including credentials and keys, potentially leading to further attacks such as unauthorized database access or cookie forgery. The vulnerability does not allow integrity or availability impact directly but compromises confidentiality of critical secrets.
Mitigation Recommendations
A fix is available in OctoberCMS versions 3.7.14 and 4.1.10; users should upgrade to these or later versions. For those unable to upgrade immediately, restrict Editor tool access to fully trusted administrators only and ensure that database and cloud service credentials are not accessible from the web server's network. Since this is a cloud-hosted service, the vendor manages remediation for the cloud environment; users should verify with the vendor advisory for cloud-specific patching status.
CVE-2026-25125: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in octobercms october
Description
OctoberCMS versions prior to 3. 7. 14 and 4. 1. 10 have a server-side information disclosure vulnerability in the INI settings parser. Attackers with Editor access can inject environment variable interpolation patterns into CMS page settings, causing sensitive environment variables such as database passwords and application keys to be exposed. This vulnerability is relevant only when cms. safe_mode is enabled. It has been fixed in versions 3. 7.
CVSS v3.1
Score 4.9medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OctoberCMS contains a vulnerability in its INI settings parser due to the use of PHP's parse_ini_string() function, which supports environment variable interpolation via ${} syntax. Attackers with Editor privileges can inject patterns like ${APP_KEY} or ${DB_PASSWORD} into CMS page settings fields, causing sensitive environment variables to be resolved and stored in the template. When the page is reopened, these secrets are returned to the attacker, enabling exfiltration of credentials such as database passwords, AWS keys, and application keys. This vulnerability applies only when cms.safe_mode is enabled, as otherwise direct PHP injection is already possible. The issue is fixed in OctoberCMS versions 3.7.14 and 4.1.10.
Potential Impact
Successful exploitation allows an attacker with Editor access to disclose sensitive environment variables, including credentials and keys, potentially leading to further attacks such as unauthorized database access or cookie forgery. The vulnerability does not allow integrity or availability impact directly but compromises confidentiality of critical secrets.
Mitigation Recommendations
A fix is available in OctoberCMS versions 3.7.14 and 4.1.10; users should upgrade to these or later versions. For those unable to upgrade immediately, restrict Editor tool access to fully trusted administrators only and ensure that database and cloud service credentials are not accessible from the web server's network. Since this is a cloud-hosted service, the vendor manages remediation for the cloud environment; users should verify with the vendor advisory for cloud-specific patching status.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-29T14:03:42.540Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69deab4182d89c981ffdeb83
Added to database: 4/14/2026, 9:01:53 PM
Last enriched: 4/22/2026, 6:47:40 AM
Last updated: 5/30/2026, 10:53:21 AM
Views: 139
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.