CI4MS implements role‑based access control, and the auth filter is responsible for checking whether a user account is active. In versions 0.26.0 through the 0.31.7.x releases the line that verifies the active flag was commented out. As a result, a user who had been deactivated or banned could still be granted a session and access the CMS as if they were fully active. This flaw allows an attacker to retain access after an administrative deactivation, potentially facilitating unauthorized actions or data access.

ci4-cms-erp:ci4ms is the vendor and product name. The vulnerability exists in all released versions from 0.26.0 up to, but not including, 0.31.8.0. Version 0.31.8.0 contains a fix that restores the deactivated user check in the authentication filter. Any deployment of an older CI4MS release using the default auth filter is affected.

In the Common Vulnerability Scoring System, the CVSS base score is 5.3, indicating moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been publicly exploited. The flaw can be leveraged by any adversary who can obtain or hijack a session cookie for a deactivated user; the attack requires only standard web access to the application, so the likely vector is a web session or a compromised user account. If an attacker can maintain a session for a deactivated account, they can continue to perform actions permitted to that user role, potentially leading to data disclosure or further privilege escalation within the CMS.