CVE-2020-10793
Description
CodeIgniter through 4.0.0 allows remote attackers to gain privileges via a modified Email ID to the "Select Role of the User" page. NOTE: A contributor to the CodeIgniter framework argues that the issue should not be attributed to CodeIgniter. Furthermore, the blog post reference shows an unknown website built with the CodeIgniter framework but that CodeIgniter is not responsible for introducing this issue because the framework has never provided a login screen, nor any kind of login or user management facilities beyond a Session library. Also, another reporter indicates the issue is with a custom module/plugin to CodeIgniter, not CodeIgniter itself.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Disputed: CodeIgniter through 4.0.0 may allow privilege escalation via a modified Email ID, but the issue is actually in a custom module, not the framework itself.
Vulnerability
Claim
CVE-2020-10793 alleges that CodeIgniter versions through 4.0.0 allow remote attackers to gain privileges by modifying an Email ID on the "Select Role of the User" page [1]. The claim suggests that an attacker could escalate privileges by tampering with an email parameter during user role selection.
Dispute and
Counterarguments
Several contributors dispute this attribution. They argue that CodeIgniter, as a framework, does not provide a login screen or any user management facilities beyond a Session library [1]. The framework's official repository and documentation confirm that authentication and user management are not built-in; they must be implemented separately or via third-party modules like CodeIgniter Shield [2][3]. The referenced blog post points to an unknown website built with CodeIgniter, but the vulnerability resides in a custom module or plugin, not in the framework core [1].
Impact and
Mitigation
If the vulnerability exists, it could allow an attacker to gain elevated privileges within a specific application. However, since the issue is not in CodeIgniter itself, no framework-level patch is needed. Developers are advised to review their authentication and user role handling custom code [1]. The framework continues to be actively maintained, and the community recommends using the official authentication library (Shield) to avoid such custom implementation errors [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
codeigniter4/frameworkPackagist | <= 4.0.0 | — |
Affected products
3- CodeIgniter/CodeIgniterdescription
- osv-coords2 versions
< 4.0.0+ 1 more
- (no CPE)range: < 4.0.0
- (no CPE)range: <= 4.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-jwqp-wh5g-4gmmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-10793ghsaADVISORY
- codeigniter4.github.io/userguide/extending/authentication.htmlghsax_refsource_MISCWEB
- medium.com/%40vbharad/account-takeover-via-modifying-email-id-codeigniter-framework-ca30741ad297mitrex_refsource_MISC
- medium.com/@vbharad/account-takeover-via-modifying-email-id-codeigniter-framework-ca30741ad297ghsaWEB
News mentions
0No linked articles in our index yet.