Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The auth filter has the deactivated/banned user check commented out.
Details
CodeIgniter Shield's loggedIn() re-checks the status field (catching status='banned'), but does not re-check the active field for existing sessions. When an admin deactivates a user (active=0) after they have already logged in:
- Their session cookie remains valid
auth()->loggedIn()still returnstrue- The commented-out code is the only mechanism that would have checked
!$user->active
Evidence
<img width="981" height="654" alt="image" src="https://github.com/user-attachments/assets/6f75d144-5bcf-4a3f-bc35-bb0715c3ed05" />
Impact
- User deactivation does NOT immediately revoke backend access
- Deactivated user retains full access until session expires (default: 7200s)
Additional note
The commented-out block appears to be a deferred placeholder - it was written but disabled from the very first commit that introduced the filter, and has never been active. The later addition of SessionTracker (v0.31.4.0) suggests the dev was aware of the session revocation gap, but account-level deactivation (users.active = 0) remains unenforced. Could you verify if this is intentionally pending or simply forgotten and not documented?.
AnalysisAI
Deactivated user accounts in CI4MS retain full backend access until session expiration because the authentication filter fails to re-check the active status field for existing sessions. When an administrator sets a user's active field to 0, the user's session cookie remains valid and auth()->loggedIn() continues returning true, allowing the deactivated user to access protected resources for up to 7200 seconds (default session timeout). The vulnerability exists because code to enforce this check was commented out since the filter's initial commit and never activated.
Technical ContextAI
CI4MS is a CodeIgniter 4-based CMS/ERP platform that uses CodeIgniter Shield for authentication. The vulnerability resides in the Ci4MsAuthFilter class, which implements a before() filter to validate user session status on each request. CodeIgniter Shield's loggedIn() method re-checks the banned status (status='banned') but does not re-check the active field. The filter's job is to perform supplementary validation by examining user account metadata retrieved from the session. The commented-out code block (present since initial commit) contained the exact mechanism needed: checking both $user->isBanned() and !$user->active, then calling auth('session')->logout() to terminate the session. The root cause is CWE-613 (Insufficient Session Expiration), where account-level deactivation is not enforced during session validation, creating a window where deactivated accounts retain unauthorized access.
RemediationAI
Upgrade to CI4MS version 0.31.8.0 or later immediately. The patch re-activates the deactivated/banned user check in Ci4MsAuthFilter.php, uncommenting and refining the validation logic to check both isBanned() status and active field (with explicit type checking: (int)$user->active === 0), then call auth('session')->logout() to terminate sessions of deactivated users on their next request. The fix is available in commit 2f38284281ce6b435ea42003951f14109ac2cea7 and released version 0.31.8.0 (https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0). As a temporary workaround pending upgrade, if immediate patching is not feasible, reduce the session timeout configuration (session.expiration in CodeIgniter config) from the default 7200 seconds to a shorter interval (e.g., 1800 seconds / 30 minutes) to minimize the window during which deactivated users retain access; note that this reduces overall session security and user experience, so it is not a substitute for patching. Additionally, audit active sessions in your application after deactivating any user account to manually force session invalidation if your framework supports it (e.g., via a manual session deletion query or admin dashboard feature). Update the bundled elFinder dependency (from 2.1.66 to 2.1.67) as mentioned in the patch.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28294
GHSA-5hfv-c864-qcq9