Zero Day MonitorZDM

← Back to list

8.0

CVE-2026-34572PATCHED

ci4-cms-erp · ci4ms

CI4MS: Account Deactivation Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw. This issue has been patched in version 0.31.0.0.

Affected Products

Vendor	Product	Versions
ci4-cms-erp	ci4ms	composer/ci4-cms-erp/ci4ms: <= 0.28.6.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8fq3-c5w3-pj3q(x_refsource_CONFIRM)
https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB9h ago

CVE-2026-34572 | ci4-cms-erp ci4ms 0.28.5.0 access control (GHSA-8fq3-c5w3-pj3q)

→ No new info (linked only)

CVSS 3.18.0 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

ci4-cms-erp/ci4ms@0.31.0.0

CWECWE-284, CWE-613, CWE-1254

PublishedApr 1, 2026

Last enriched8h agov2

Trending Score29

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34561EXP

CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CRITICALCVE-2026-34566

CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CRITICALCVE-2026-34571

CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise

CRITICALCVE-2026-34560

CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CRITICALCVE-2026-34568

CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026

Patch Available

Apr 1, 2026

Updated: severity

Apr 2, 2026

Version History

v2

Last enriched 8h ago

v2Tier C8h ago

Updated severity to CRITICAL and noted that there is no exploit available.

severity

via VulDB

v111h ago

Initial creation