Cyber Resilience

CVE-2026-34570

HighPublic PoC

Published: 01 April 2026

Published
01 April 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0050 39.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34570 is a high-severity Improper Access Control (CWE-284) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Redundant Access (T1108); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AC-2 (Account Management).

Deeper analysis

CVE-2026-34570 is a critical access control vulnerability in CI4MS, a CodeIgniter 4-based CMS skeleton providing modular architecture, RBAC authorization, and theme support. In versions prior to 0.31.0.0, the application fails to immediately revoke active user sessions upon account deletion due to a backend logic flaw. Account state changes, such as deletion, are enforced only during authentication events like login, not for existing sessions. The system lacks session expiration or account expiration mechanisms, allowing deleted accounts indefinite access until manual logout and breaking intended access control policies. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 284 (Improper Access Control), 613 (Insufficient Session Expiration), and 1254 (Correctable Typo in Security Name).

An attacker with low privileges (PR:L), such as an authenticated user, can exploit this over the network (AV:N) with low complexity and no user interaction. If an administrator deletes the attacker's account, the existing session persists, granting continued unauthorized access to the user's prior privileges for the session lifetime. This enables high-impact outcomes, including unauthorized data access or modification (C:H/I:H) and potential service disruption (A:H), as the system assumes authenticated sessions remain trusted indefinitely.

The vulnerability is patched in CI4MS version 0.31.0.0. Advisories recommend immediate upgrade to this version to enforce session revocation on account state changes. Details are provided in the GitHub security advisory (GHSA-4vxv-4xq4-p84h) and release notes at https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a…

more

logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access. This issue has been patched in version 0.31.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1108 Redundant Access Stealth
**This technique has been deprecated.
Why these techniques?

The vulnerability allows persistent sessions to remain valid after account deletion, enabling attackers to maintain unauthorized access despite revocation attempts, which directly facilitates the Redundant Access technique.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34572Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-25510Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34568Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34561Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34559Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34558Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34562Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34564Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-27599Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-39389Same product: Ci4-Cms-Erp Ci4Ms

Affected Assets

ci4-cms-erp
ci4ms
≤ 0.31.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-12 requires automatic termination of user sessions upon organization-defined conditions such as account deletion, directly addressing the failure to revoke active sessions for deleted accounts.

prevent

AC-2 mandates timely account disabling and removal processes, ensuring access is revoked immediately upon account deletion to prevent persistent unauthorized session access.

prevent

AC-3 enforces approved access control policies on logical access, enabling checks of current account status to block unauthorized access from lingering sessions.

References