Session Management Flaw in CI4MS by CodeIgniter 4
CVE-2026-34572

8.8HIGH

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 1 April 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-34572?

CI4MS, a CMS framework built on CodeIgniter 4, suffers from a session management flaw that prevents the immediate revocation of user sessions upon account deactivation. This issue arises from a design flaw where session integrity is not enforced beyond the authentication phase, allowing users with deactivated accounts to maintain access indefinitely until manually logging out. This weakness compromises the platform's access controls, leading to potential unauthorized usage of the application by deactivated accounts. The critical issue has been addressed in version 0.31.0.0, emphasizing the importance of timely patching for maintaining security.

Affected Version(s)

ci4ms < 0.31.0.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34572 Data

JSON