Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw. This issue has been patched in version 0.31.0.0.
Published: 2026-04-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Persistent Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

CI4MS, a CodeIgniter 4-based CMS skeleton, has a logic flaw that prevents the immediate revocation of active user sessions when an account is deactivated. The application only updates account state during authentication, not for established sessions, meaning that deactivated accounts retain full access until users manually log out. This flaw results in persistent unauthorized access across all user roles, violating the intended RBAC access control policy and exposing the system to critical compromise.

Affected Systems

The vulnerability affects the CI4MS application from the vendor ci4-cms-erp. All installations of CI4MS versions prior to 0.31.0.0 are impacted, regardless of deployment environment, as the session invalidation logic is baked into the core module.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers who already possess a valid session can exploit the flaw by keeping that session alive even after deactivation, achieving unauthorized continued access. The absence of a session expiration or account expiration mechanism makes this a straightforward privilege escalation scenario for any entity that can trigger account deactivation.

Generated by OpenCVE AI on April 6, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CI4MS to version 0.31.0.0 or later to apply the session invalidation patch.

Generated by OpenCVE AI on April 6, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8fq3-c5w3-pj3q CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw. This issue has been patched in version 0.31.0.0.
Title CI4MS: Account Deactivation Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
Weaknesses CWE-1254
CWE-284
CWE-613
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T13:51:10.563Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34572

cve-icon Vulnrichment

Updated: 2026-04-02T13:50:59.503Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T22:16:21.180

Modified: 2026-04-06T16:32:05.870

Link: CVE-2026-34572

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:27Z

Weaknesses