Logic Flaw in CI4MS CMS Allows Unauthorized Session Persistence
CVE-2026-34570

10CRITICAL

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 1 April 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-34570?

CI4MS, a CodeIgniter 4-based content management system, contains a logic flaw that fails to revoke active user sessions upon account deletion. This oversight allows previously authenticated users to retain access to the system even after their accounts are removed, due to the backend enforcing account state changes only during user authentication. As a result, this design flaw permits ongoing unauthorized access until the user manually logs out, compromising the intended security measures. The issue was addressed in version 0.31.0.0.

Affected Version(s)

ci4ms < 0.31.0.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0

x_refsource_MISC

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34570 Data

JSON