Skip to main content

CI4MS EUVDEUVD-2026-28294

| CVE-2026-41891 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-05-04 https://github.com/ci4-cms-erp/ci4ms GHSA-5hfv-c864-qcq9
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 07, 2026 - 04:35 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
May 04, 2026 - 21:30 vuln.today
Analysis Generated
May 04, 2026 - 21:30 vuln.today

DescriptionGitHub Advisory

Summary

The auth filter has the deactivated/banned user check commented out.

Details

CodeIgniter Shield's loggedIn() re-checks the status field (catching status='banned'), but does not re-check the active field for existing sessions. When an admin deactivates a user (active=0) after they have already logged in:

  • Their session cookie remains valid
  • auth()->loggedIn() still returns true
  • The commented-out code is the only mechanism that would have checked !$user->active

Evidence

<img width="981" height="654" alt="image" src="https://github.com/user-attachments/assets/6f75d144-5bcf-4a3f-bc35-bb0715c3ed05" />

Impact

  • User deactivation does NOT immediately revoke backend access
  • Deactivated user retains full access until session expires (default: 7200s)

Additional note

The commented-out block appears to be a deferred placeholder - it was written but disabled from the very first commit that introduced the filter, and has never been active. The later addition of SessionTracker (v0.31.4.0) suggests the dev was aware of the session revocation gap, but account-level deactivation (users.active = 0) remains unenforced. Could you verify if this is intentionally pending or simply forgotten and not documented?.

AnalysisAI

Deactivated user accounts in CI4MS retain full backend access until session expiration because the authentication filter fails to re-check the active status field for existing sessions. When an administrator sets a user's active field to 0, the user's session cookie remains valid and auth()->loggedIn() continues returning true, allowing the deactivated user to access protected resources for up to 7200 seconds (default session timeout). The vulnerability exists because code to enforce this check was commented out since the filter's initial commit and never activated.

Technical ContextAI

CI4MS is a CodeIgniter 4-based CMS/ERP platform that uses CodeIgniter Shield for authentication. The vulnerability resides in the Ci4MsAuthFilter class, which implements a before() filter to validate user session status on each request. CodeIgniter Shield's loggedIn() method re-checks the banned status (status='banned') but does not re-check the active field. The filter's job is to perform supplementary validation by examining user account metadata retrieved from the session. The commented-out code block (present since initial commit) contained the exact mechanism needed: checking both $user->isBanned() and !$user->active, then calling auth('session')->logout() to terminate the session. The root cause is CWE-613 (Insufficient Session Expiration), where account-level deactivation is not enforced during session validation, creating a window where deactivated accounts retain unauthorized access.

RemediationAI

Upgrade to CI4MS version 0.31.8.0 or later immediately. The patch re-activates the deactivated/banned user check in Ci4MsAuthFilter.php, uncommenting and refining the validation logic to check both isBanned() status and active field (with explicit type checking: (int)$user->active === 0), then call auth('session')->logout() to terminate sessions of deactivated users on their next request. The fix is available in commit 2f38284281ce6b435ea42003951f14109ac2cea7 and released version 0.31.8.0 (https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0). As a temporary workaround pending upgrade, if immediate patching is not feasible, reduce the session timeout configuration (session.expiration in CodeIgniter config) from the default 7200 seconds to a shorter interval (e.g., 1800 seconds / 30 minutes) to minimize the window during which deactivated users retain access; note that this reduces overall session security and user experience, so it is not a substitute for patching. Additionally, audit active sessions in your application after deactivating any user account to manually force session invalidation if your framework supports it (e.g., via a manual session deletion query or admin dashboard feature). Update the bundled elFinder dependency (from 2.1.66 to 2.1.67) as mentioned in the patch.

Share

EUVD-2026-28294 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy