CVE-2026-34572
Published: 01 April 2026
Summary
CVE-2026-34572 is a high-severity Improper Access Control (CWE-284) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Session Cookie (T1550.004); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-12 requires automatic session termination upon organization-defined conditions such as account deactivation, directly preventing persistent unauthorized access from active sessions of deactivated accounts.
AC-2 mandates procedures for promptly disabling accounts under defined circumstances, which can include mechanisms to revoke associated active sessions upon deactivation.
AC-3 enforces approved access authorizations continuously, ensuring logical access checks account status beyond initial authentication to block deactivated users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows continued use of active web sessions (cookies) after account deactivation due to missing revocation, directly facilitating T1550.004 by enabling bypass of authentication controls via alternate session material.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a…
more
logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw. This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34572 is a critical authorization flaw in CI4MS, a CodeIgniter 4-based CMS skeleton providing production-ready modular architecture, RBAC authorization, and theme support. In versions prior to 0.31.0.0, the application does not immediately revoke active user sessions upon account deactivation due to a backend logic error. Account state changes are only enforced during authentication, allowing established sessions to persist indefinitely without expiration or revocation mechanisms. This violates the intended access control policy, mapped to CWE-284 (Improper Access Control), CWE-613 (Insufficient Session Expiration), and CWE-1254 (Access Control Challenge), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated low-privilege user (PR:L) can exploit this remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). If their account is deactivated after login—such as by an administrator—they retain full session privileges until manually logging out, enabling persistent unauthorized access to sensitive resources, data modification, or disruption, achieving high impacts on confidentiality, integrity, and availability.
The issue is addressed in CI4MS version 0.31.0.0, as detailed in the project's GitHub release notes and security advisories (GHSA-8fq3-c5w3-pj3q). Security practitioners should upgrade to the patched version and review session management in similar CodeIgniter-based applications to ensure real-time enforcement of account state changes.
Details
- CWE(s)