HighPublic exploit

CI4MS session revocation flaw for deleted accounts

IdentifiersCVE-2026-34570CWE-613· Insufficient Session Expiration

CVE-2026-34570 affects CI4MS, a CodeIgniter 4-based CMS skeleton, in versions prior to 0.31.0.0. The vulnerability is caused by a backend logic flaw in which account state changes, specifically account deletion, are enforced only at authentication time and are not revalidated for already-established sessions. As a result, when an account is deleted, any active session associated with that account remains valid instead of being immediately revoked. Because the application also lacked session expiration or account expiration controls in the described scenario, a deleted user could continue accessing the application indefinitely until manually logging out. This breaks the intended access control model and results in persistent unauthorized access by accounts that should no longer be valid.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

An attacker or former user with an already-authenticated session can continue to access CI4MS after the associated account has been deleted. This results in unauthorized persistence of access and undermines account lifecycle enforcement and RBAC expectations. Depending on the permissions held by the deleted account at the time the session was established, the issue can expose confidentiality, integrity, and availability impacts through continued access to protected application functionality and data.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, implement compensating controls to forcibly invalidate all active sessions when an account is deleted or disabled. Add server-side checks on each request, or at least on privileged actions, to verify that the backing account still exists and remains authorized. Introduce session expiration and administrative session revocation capabilities to reduce the window of exposure for stale authenticated sessions.

Remediation

Patch, then assume compromise.

Upgrade CI4MS to version 0.31.0.0 or later, where the issue has been patched. The fix should ensure that account deletion immediately invalidates all active sessions associated with the deleted account and that session validity is rechecked against current account state rather than being trusted solely based on successful past authentication.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Ci4-Cms-ErpCi4msapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cvefeed high severityNews

Apr 1, 2026

CVE-2026-34570 - CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

An access control/session management flaw in CI4MS where deleted accounts retain active authenticated sessions and continue to have unauthorized access until logout. Patched in version 0.31.0.0.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-34570

NVD

nvd.nist.gov/vuln/detail/CVE-2026-34570

MITRE CWE · CWE-613

Insufficient Session Expiration

Vendor Advisory

github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4vxv-4xq4-p84h

Release Notes

github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0