What is the CVSS score of CVE-2026-34570?

CVE-2026-34570 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Ci4ms are affected by CVE-2026-34570?

CVE-2026-34570 affects CodeIgniter 4 CMS skeleton versions prior to 0.31.0.0, allowing deleted user accounts to retain full system access through active sessions.. A patch is available.

How to fix or mitigate CVE-2026-34570?

Within 24 hours: Identify all CI4MS instances in production and document current version numbers; force logout all active sessions as interim containment. Within 7 days: Upgrade all CI4MS installations to version 0.31.0.0 or later per vendor advisory; conduct session audit for any unauthorized access. Within 30 days: Implement mandatory session invalidation procedures tied to user account deletion workflows; review access logs for suspicious activity from deleted accounts during the vulnerability window.

Ci4ms CVE-2026-34570

EUVD-2026-18086 HIGH

Improper Access Control (CWE-284)

2026-04-01 GitHub_M

GHSA-4vxv-4xq4-p84h

Authentication Bypass Ci4ms

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 02, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 01, 2026 - 22:16 euvd

EUVD-2026-18086

Analysis Generated

Apr 01, 2026 - 22:16 vuln.today

CVE Published

Apr 01, 2026 - 21:30 nvd

HIGH 8.8

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access. This issue has been patched in version 0.31.0.0.

AnalysisAI

Session persistence in CI4MS (CodeIgniter 4 CMS skeleton) allows deleted user accounts to retain full system access indefinitely through active sessions until manual logout. Affects all versions prior to 0.31.0.0. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain valid user credentials

Delivery

Exploit

Admin deletes attacker's account

Execution

Attacker retains session access

Persist

Access protected resources with deleted account

Impact

Modify or exfiltrate sensitive data

Access

Obtain valid user credentials

Delivery

Exploit

Admin deletes attacker's account

Execution

Attacker retains session access

Persist

Access protected resources with deleted account

Impact

Modify or exfiltrate sensitive data

Vulnerability AssessmentAI

Exploitation	Requires authenticated user account in CI4MS versions prior to 0.31.0.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	While the CVSS 4.0 score of 10.0 Critical reflects maximum theoretical impact (network-accessible, no complexity, no privileges required, high impact to confidentiality/integrity/availability across security scopes), real-world exploitability requires specific preconditions that temper immediate risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An organization terminates a contractor and an administrator deletes their CI4MS account to revoke access. However, the contractor had established an authenticated session earlier that day and left their browser open. …
Remediation	Upgrade to CI4MS version 0.31.0.0 or later, which includes patches to enforce session invalidation upon account deletion. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all CI4MS instances in production and document current version numbers; force logout all active sessions as interim containment. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34570 vulnerability details – vuln.today

Back

Ci4ms CVE-2026-34570

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code