CVE-2026-34572
Persistent Unauthorized Access in CI4MS Due to Session Revocation Flaw
Publication date: 2026-04-01
Last updated on: 2026-04-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ci4-cms-erp | ci4ms | to 0.31.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1254 | The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in CI4MS, a CodeIgniter 4-based CMS skeleton, where the system fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw, account state changes are only enforced during login, not for sessions already established. As a result, users with deactivated accounts can continue to access the system indefinitely until they manually log out, because there is no session or account expiration mechanism. This breaks the intended access control policy and leads to persistent unauthorized access.
How can this vulnerability impact me? :
This vulnerability can have a critical impact by allowing users whose accounts have been deactivated to maintain access to the system without restriction. This persistent unauthorized access can lead to data breaches, unauthorized actions, and compromise of system integrity, confidentiality, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises because active user sessions are not revoked immediately when an account is deactivated, allowing continued access until manual logout.
To detect this issue on your system, you can monitor active sessions for users whose accounts have been deactivated but still maintain access.
Since the vulnerability is related to session management within the application, detection involves checking the session store or database for active sessions linked to deactivated accounts.
There are no specific commands provided in the available information to detect this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in version 0.31.0.0 of the CI4MS application.
Immediate mitigation steps include upgrading the application to version 0.31.0.0 or later, which enforces account state changes immediately and revokes active sessions upon account deactivation.
Until the upgrade is applied, manually logging out users after account deactivation or implementing a session expiration mechanism can help reduce the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows deactivated user accounts to maintain active sessions indefinitely, resulting in persistent unauthorized access. Such a flaw undermines access control policies and can lead to unauthorized data exposure or modification.
Because regulations like GDPR and HIPAA require strict access controls and timely revocation of user privileges to protect sensitive data, this vulnerability could cause non-compliance with these standards by failing to immediately revoke access upon account deactivation.