What is the CVSS score of CVE-2026-34572?

CVE-2026-34572 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Ci4ms are affected by CVE-2026-34572?

CI4MS (CodeIgniter 4 CMS) versions prior to 0.31.0.0 contain a session fixation vulnerability that allows deactivated user accounts to retain full system access indefinitely, creating a critical…. A patch is available.

How to fix or mitigate CVE-2026-34572?

Within 24 hours: Inventory all CI4MS deployments and document current version numbers; identify deactivated user accounts created in the past 90 days and force immediate session termination via database or CMS administrative backend. Within 7 days: Implement mandatory account logout on administrative deactivation by developing a custom patch or deploying an authentication middleware that invalidates all sessions for disabled users on each request; monitor login/audit logs for anomalous activity from deactivated accounts. Within 30 days: Upgrade to CI4MS 0.31.0.0 or later when available; conduct access review of all deactivated accounts to detect unauthorized activity.

Ci4ms CVE-2026-34572

EUVD-2026-18089 HIGH

Improper Access Control (CWE-284)

2026-04-01 GitHub_M

GHSA-8fq3-c5w3-pj3q

Authentication Bypass Ci4ms

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 02, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 01, 2026 - 22:16 euvd

EUVD-2026-18089

Analysis Generated

Apr 01, 2026 - 22:16 vuln.today

CVE Published

Apr 01, 2026 - 21:35 nvd

HIGH 8.8

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw. This issue has been patched in version 0.31.0.0.

AnalysisAI

Session fixation vulnerability in CI4MS (CodeIgniter 4 CMS) allows deactivated user accounts to maintain indefinite access through active sessions. Authenticated attackers whose accounts have been administratively disabled retain full high-privilege access (confidentiality, integrity, availability impact) until manual logout, bypassing intended access controls. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as legitimate user

Delivery

Administrator deactivates attacker's account

Exploit

Attacker maintains active session with full privileges

Execution

Access sensitive data and modify application state

Impact

Escalate privileges through account state mismatch

Access

Authenticate as legitimate user

Delivery

Administrator deactivates attacker's account

Exploit

Attacker maintains active session with full privileges

Execution

Access sensitive data and modify application state

Impact

Escalate privileges through account state mismatch

Vulnerability AssessmentAI

Exploitation	Requires valid authenticated user account in CI4MS versions prior to 0.31.0.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 severity is justified by the attack profile: network-accessible (AV:N), low complexity (AC:L), requiring only low privileges (PR:L) with no user interaction (UI:N), enabling high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An organization terminates a developer's employment and immediately deactivates their CI4MS administrator account following standard offboarding procedures. The developer, still logged into the CMS from their home workstation with an active session established days earlier, discovers their portal access remains functional despite the account deactivation. …
Remediation	Upgrade immediately to CI4MS version 0.31.0.0 or later, which implements session invalidation logic tied to account state changes. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all CI4MS deployments and document current version numbers; identify deactivated user accounts created in the past 90 days and force immediate session termination via database or CMS administrative backend. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34572 vulnerability details – vuln.today

Back

Ci4ms CVE-2026-34572

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code