CVE-2026-34572

| EUVD-2026-18089 HIGH
2026-04-01 GitHub_M GHSA-8fq3-c5w3-pj3q
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Apr 02, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 01, 2026 - 22:16 vuln.today
EUVD ID Assigned
Apr 01, 2026 - 22:16 euvd
EUVD-2026-18089
CVE Published
Apr 01, 2026 - 21:35 nvd
HIGH 8.8

Tags

Authentication Bypass

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw. This issue has been patched in version 0.31.0.0.

Analysis

Session fixation vulnerability in CI4MS (CodeIgniter 4 CMS) allows deactivated user accounts to maintain indefinite access through active sessions. Authenticated attackers whose accounts have been administratively disabled retain full high-privilege access (confidentiality, integrity, availability impact) until manual logout, bypassing intended access controls. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all CI4MS deployments and document current version numbers; identify deactivated user accounts created in the past 90 days and force immediate session termination via database or CMS administrative backend. Within 7 days: Implement mandatory account logout on administrative deactivation by developing a custom patch or deploying an authentication middleware that invalidates all sessions for disabled users on each request; monitor login/audit logs for anomalous activity from deactivated accounts. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

CVE-2026-34572 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy