Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access. This issue has been patched in version 0.31.0.0.
Published: 2026-04-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Persistent Unauthorized Access via Session Invalidation Failure
Action: Apply Patch
AI Analysis

Impact

CI4MS, a CodeIgniter 4-based content management system, contains a logic flaw that causes deleted accounts to retain their authenticated sessions indefinitely. The flaw lies in the backend design, which only enforces account state changes during the authentication phase and not for sessions that are already active. As a result, when an account is marked as deleted, the system continues to trust the user until they manually log out. This leads to persistent unauthorized access across all roles assigned to the account, undermining the intended role‑based access control model.

Affected Systems

The vulnerability affects the CI4MS product from CI4‑CMS‑ERP. All releases prior to version 0.31.0.0 are vulnerable. The flaw was addressed and patched in the 0.31.0.0 release.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of fewer than 1 % points to a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an attacker gaining access to the administrative interface to delete an account or manipulating the deletion API; this is inferred since the input does not explicitly state how the deletion action is performed. Once an account is flagged as deleted, any existing session remains active until the user explicitly logs out, allowing continuous access. The risk is therefore high if the attacker can delete an account or trigger the deletion mechanism, even though the likelihood of such an exploit is low given the current EPSS value.

Generated by OpenCVE AI on April 7, 2026 at 02:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CI4MS to version 0.31.0.0 or later
  • If an update is not immediately possible, terminate deleted accounts’ active sessions by forcing log‑out or manually clearing session data
  • Verify with the vendor for any additional temporary mitigations or service‑specific instructions

Generated by OpenCVE AI on April 7, 2026 at 02:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4vxv-4xq4-p84h CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
History

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 10.0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

 cvssV4_0

{'score': 10.0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access. This issue has been patched in version 0.31.0.0.
Title CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
Weaknesses CWE-1254
CWE-284
CWE-613
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T17:15:53.691Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34570

cve-icon Vulnrichment

Updated: 2026-04-03T16:41:05.727Z

cve-icon NVD

Status : Modified

Published: 2026-04-01T22:16:20.870

Modified: 2026-04-06T18:16:41.637

Link: CVE-2026-34570

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:29Z

Weaknesses