EUVD-2026-18086
GHSA-4vxv-4xq4-p84h
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access. This issue has been patched in version 0.31.0.0.
Analysis
Session persistence in CI4MS (CodeIgniter 4 CMS skeleton) allows deleted user accounts to retain full system access indefinitely through active sessions until manual logout. Affects all versions prior to 0.31.0.0. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all CI4MS instances in production and document current version numbers; force logout all active sessions as interim containment. Within 7 days: Upgrade all CI4MS installations to version 0.31.0.0 or later per vendor advisory; conduct session audit for any unauthorized access. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today