CVE-2026-34570
Published: 01 April 2026
Summary
CVE-2026-34570 is a high-severity Improper Access Control (CWE-284) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Redundant Access (T1108); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-12 requires automatic termination of user sessions upon organization-defined conditions such as account deletion, directly addressing the failure to revoke active sessions for deleted accounts.
AC-2 mandates timely account disabling and removal processes, ensuring access is revoked immediately upon account deletion to prevent persistent unauthorized session access.
AC-3 enforces approved access control policies on logical access, enabling checks of current account status to block unauthorized access from lingering sessions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows persistent sessions to remain valid after account deletion, enabling attackers to maintain unauthorized access despite revocation attempts, which directly facilitates the Redundant Access technique.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a…
more
logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access. This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34570 is a critical access control vulnerability in CI4MS, a CodeIgniter 4-based CMS skeleton providing modular architecture, RBAC authorization, and theme support. In versions prior to 0.31.0.0, the application fails to immediately revoke active user sessions upon account deletion due to a backend logic flaw. Account state changes, such as deletion, are enforced only during authentication events like login, not for existing sessions. The system lacks session expiration or account expiration mechanisms, allowing deleted accounts indefinite access until manual logout and breaking intended access control policies. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 284 (Improper Access Control), 613 (Insufficient Session Expiration), and 1254 (Correctable Typo in Security Name).
An attacker with low privileges (PR:L), such as an authenticated user, can exploit this over the network (AV:N) with low complexity and no user interaction. If an administrator deletes the attacker's account, the existing session persists, granting continued unauthorized access to the user's prior privileges for the session lifetime. This enables high-impact outcomes, including unauthorized data access or modification (C:H/I:H) and potential service disruption (A:H), as the system assumes authenticated sessions remain trusted indefinitely.
The vulnerability is patched in CI4MS version 0.31.0.0. Advisories recommend immediate upgrade to this version to enforce session revocation on account state changes. Details are provided in the GitHub security advisory (GHSA-4vxv-4xq4-p84h) and release notes at https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0.
Details
- CWE(s)