CVE-2026-34570
Received Received - Intake
Persistent Unauthorized Access in CI4MS Due to Session Management Flaw

Publication date: 2026-04-01

Last updated on: 2026-04-06

Assigner: GitHub, Inc.

Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access. This issue has been patched in version 0.31.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34570
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ci4-cms-erp ci4ms to 0.31.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
CWE-1254 The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in CI4MS, a CodeIgniter 4-based CMS skeleton, where prior to version 0.31.0.0, the system fails to immediately revoke active user sessions when an account is deleted.

Due to a logic flaw, account state changes are only enforced during login, not for sessions that are already active. This means that if a user account is deleted, the user can still access the system indefinitely until they manually log out.

There is no session expiration or account expiration mechanism, so deleted accounts retain unauthorized access, breaking the intended access control policy.

This issue was fixed in version 0.31.0.0.

Impact Analysis

This vulnerability can lead to persistent unauthorized access by users whose accounts have been deleted.

Since active sessions are not revoked immediately, deleted users can continue to access sensitive information or perform actions within the system until they log out manually.

This undermines the security and access control policies of the application, potentially exposing data or functionality to unauthorized individuals.

Detection Guidance

This vulnerability involves persistent unauthorized access due to active user sessions not being revoked immediately after account deletion in CI4MS versions prior to 0.31.0.0. Detection involves identifying active sessions belonging to deleted accounts.

To detect this on your system, you can:

  • Check the session store or database for active sessions linked to user accounts that no longer exist or have been deleted.
  • Review backend logs or audit trails (if available) for user activity from accounts that should have been deleted.
  • Use database queries to find sessions with user IDs that are missing from the users table.

Example commands (assuming a SQL-based session store and user table):

  • SQL query to find sessions with deleted users: SELECT session_id, user_id FROM sessions WHERE user_id NOT IN (SELECT id FROM users);
  • Check active sessions on the server (Linux example): ps aux | grep php or netstat -anp | grep LISTEN to identify active session processes or connections.
  • Review application logs for suspicious or persistent activity from deleted accounts if audit logging is enabled.

Upgrading to version 0.31.0.0 or later is recommended as it includes fixes that properly invalidate sessions upon account deletion.

Mitigation Strategies

To mitigate this vulnerability, upgrade the CI4MS application to version 0.31.0.0 or later, where the issue has been patched.

Until the upgrade is applied, consider manually terminating active user sessions when accounts are deleted to prevent persistent unauthorized access.

Compliance Impact

This vulnerability allows deleted user accounts to retain active sessions indefinitely, resulting in persistent unauthorized access. Such behavior breaks the intended access control policy.

Persistent unauthorized access due to failure to revoke sessions immediately upon account deletion can lead to non-compliance with common security requirements found in standards and regulations like GDPR and HIPAA, which mandate strict access control and timely revocation of user privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34570. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart