CVE-2026-34572
Received Received - Intake
Persistent Unauthorized Access in CI4MS Due to Session Revocation Flaw

Publication date: 2026-04-01

Last updated on: 2026-04-06

Assigner: GitHub, Inc.

Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw. This issue has been patched in version 0.31.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34572
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ci4-cms-erp ci4ms to 0.31.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
CWE-1254 The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in CI4MS, a CodeIgniter 4-based CMS skeleton, where the system fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw, account state changes are only enforced during login, not for sessions already established. As a result, users with deactivated accounts can continue to access the system indefinitely until they manually log out, because there is no session or account expiration mechanism. This breaks the intended access control policy and leads to persistent unauthorized access.

Impact Analysis

This vulnerability can have a critical impact by allowing users whose accounts have been deactivated to maintain access to the system without restriction. This persistent unauthorized access can lead to data breaches, unauthorized actions, and compromise of system integrity, confidentiality, and availability.

Detection Guidance

This vulnerability arises because active user sessions are not revoked immediately when an account is deactivated, allowing continued access until manual logout.

To detect this issue on your system, you can monitor active sessions for users whose accounts have been deactivated but still maintain access.

Since the vulnerability is related to session management within the application, detection involves checking the session store or database for active sessions linked to deactivated accounts.

There are no specific commands provided in the available information to detect this vulnerability.

Mitigation Strategies

The vulnerability has been patched in version 0.31.0.0 of the CI4MS application.

Immediate mitigation steps include upgrading the application to version 0.31.0.0 or later, which enforces account state changes immediately and revokes active sessions upon account deactivation.

Until the upgrade is applied, manually logging out users after account deactivation or implementing a session expiration mechanism can help reduce the risk.

Compliance Impact

This vulnerability allows deactivated user accounts to maintain active sessions indefinitely, resulting in persistent unauthorized access. Such a flaw undermines access control policies and can lead to unauthorized data exposure or modification.

Because regulations like GDPR and HIPAA require strict access controls and timely revocation of user privileges to protect sensitive data, this vulnerability could cause non-compliance with these standards by failing to immediately revoke access upon account deactivation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34572. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart