CVE-2026-25509 identifies an information disclosure vulnerability in ci4ms, a CodeIgniter 4-based CMS skeleton designed for modular architecture with RBAC and theme support. The vulnerability arises from an observable response discrepancy during the password reset workflow, which allows an unauthenticated attacker to determine if an email address is registered in the system. Specifically, when an attacker submits an email address to initiate a password reset, the application’s response differs based on whether the email exists, enabling enumeration. This flaw is categorized under CWE-204 (Observable Response Discrepancy) and affects all ci4ms versions prior to 0.28.5.0. The vulnerability does not allow modification of data or denial of service but compromises confidentiality by leaking user registration information. The CVSS v3.1 base score is 5.3 (medium), reflecting its network exploitability without authentication or user interaction, but limited impact scope. No known exploits are currently reported in the wild. The vendor has addressed this issue in version 0.28.5.0 by standardizing responses during password reset requests to prevent enumeration.

For European organizations, this vulnerability primarily threatens the confidentiality of user data by enabling attackers to enumerate valid email addresses registered in ci4ms-based systems. This information can be leveraged for targeted phishing, social engineering, or brute force attacks, increasing the risk of subsequent credential compromise or unauthorized access. While the vulnerability does not directly affect system integrity or availability, the indirect consequences of successful follow-up attacks could be severe, especially for organizations handling sensitive or regulated data. Sectors such as finance, healthcare, and government entities using ci4ms are particularly at risk. Additionally, the exposure of user lists can violate GDPR requirements concerning data minimization and protection, potentially leading to regulatory penalties. The risk is amplified in environments where password reset processes are not further protected by rate limiting or multi-factor authentication.

The primary mitigation is to upgrade all ci4ms installations to version 0.28.5.0 or later, where the vulnerability has been patched by normalizing password reset responses. Organizations should audit their current versions and prioritize patching. Additionally, implement rate limiting on password reset endpoints to reduce enumeration attempts and monitor logs for unusual password reset activity indicative of enumeration attacks. Employ multi-factor authentication (MFA) to reduce the impact of credential compromise. Review and tighten access controls around user management interfaces. Educate users about phishing risks that may arise from leaked email information. Finally, conduct regular security assessments and penetration tests focusing on authentication workflows to detect similar issues proactively.