Can you explain this vulnerability to me?

CVE-2026-41891 is a vulnerability in the ci4ms system, a CodeIgniter 4-based CMS. The issue occurs because the authentication filter has the check for deactivated or banned users commented out. As a result, users who have been deactivated by an administrator can still maintain active backend sessions and access the system until their session expires.

This happens because while the system's loggedIn() function checks the status for banned users, it does not re-check the 'active' field for existing sessions, allowing deactivated users to bypass restrictions unintentionally.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows deactivated users to maintain active sessions and retain backend access despite being deactivated by an admin. This could lead to unauthorized access to sensitive data or system functions.

Such unauthorized access may impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and timely revocation of user privileges to protect personal and sensitive information.

Because deactivated users can continue to access the system until their session expires (default 7200 seconds), this creates a window where data confidentiality and integrity could be compromised, potentially violating regulatory requirements.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows deactivated users to retain backend access despite being disabled by an administrator. This can lead to unauthorized access to the system for the duration of the user's session, which by default lasts 7200 seconds (2 hours).

The impact includes a moderate risk to confidentiality and integrity, as unauthorized users could potentially view or modify data they should no longer have access to. However, there is no impact on system availability.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves deactivated users retaining backend access due to the auth filter's deactivated user check being commented out. Detection involves verifying if any active sessions belong to users who have been deactivated (active=0). Since the session expiration defaults to 7200 seconds, monitoring active sessions and cross-referencing with user status is key.

Suggested detection approach includes querying the session store or database for active sessions and checking if any correspond to deactivated users.

• Check active sessions in your session storage (e.g., database, Redis) and identify user IDs associated with those sessions.
• Query the user database to find users with active=0 (deactivated).
• Cross-reference the active sessions with deactivated user IDs to detect unauthorized access.

Example SQL commands (assuming sessions and users are stored in a database):

• SELECT user_id FROM sessions WHERE last_activity > UNIX_TIMESTAMP() - 7200;
• SELECT id FROM users WHERE active = 0;
• Compare the results to find sessions belonging to deactivated users.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade the ci4ms system to version 0.31.8.0 or later, where this vulnerability has been patched.

The patch implements account status verification on every request through the Ci4MsAuthFilter, ensuring deactivated users cannot maintain active sessions.

Until the upgrade can be applied, consider manually invalidating all active sessions to force re-authentication, which will prevent deactivated users from continuing to access the system.

• Upgrade ci4ms to version 0.31.8.0 immediately.
• Invalidate or clear all active user sessions to remove any sessions held by deactivated users.
• Review and monitor user account statuses regularly to ensure deactivated users do not retain access.

Useful 0 Not Useful 0