CVE-2026-34572

Exploit

EPSS 0.09%
Veröffentlicht 01.04.2026 21:35:10
Zuletzt bearbeitet 06.04.2026 16:32:05
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw. This issue has been patched in version 0.31.0.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ci4-cms-erp ≫ Ci4ms Version < 0.31.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.246

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-1254 Incorrect Comparison Logic Granularity

The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0

Release Notes

https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8fq3-c5w3-pj3q

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-34572

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34572

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34572

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34572