Use of Less Trusted Source in CodeIgniter4 - #VU137011
Published: July 7, 2026
CodeIgniter4
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass HTTPS-only security checks.
The vulnerability exists due to use of less trusted source in IncomingRequest::isSecure() when handling client-supplied forwarded HTTPS headers. A remote attacker can send a request with spoofed X-Forwarded-Proto or Front-End-Https headers to bypass HTTPS-only security checks.
Exploitation depends on deployment configuration and is more likely when the backend is directly reachable over HTTP or when a reverse proxy forwards client-supplied forwarding headers without stripping or overwriting them.