CVE-2026-34570 is a critical security vulnerability identified in ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper access control (CWE-284) and flawed session management logic (CWE-613), where the system fails to revoke active user sessions when an account is deleted. Specifically, the backend enforces account state changes only during authentication events, such as login, but does not check or invalidate existing sessions for deleted accounts. Consequently, users whose accounts have been removed retain indefinite access until they manually log out, as there is no session expiration or account expiration mechanism. This design flaw breaks the intended Role-Based Access Control (RBAC) policy, allowing persistent unauthorized access. The vulnerability affects all ci4ms versions prior to 0.31.0.0 and was publicly disclosed in April 2026. The CVSS 4.0 base score is 10.0, reflecting the vulnerability's ease of exploitation (no authentication or user interaction required), network attack vector, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the critical nature of the flaw demands immediate remediation. The issue has been addressed in ci4ms version 0.31.0.0 by implementing proper session invalidation upon account deletion and improving session lifecycle management.

The vulnerability allows attackers or unauthorized users with deleted accounts to maintain persistent access to the ci4ms system without re-authentication, effectively bypassing access control policies. This can lead to unauthorized data exposure, modification, or deletion, compromising confidentiality, integrity, and availability of the CMS and any connected enterprise resources. Organizations relying on ci4ms for content management or ERP functions risk data breaches, insider threats, and potential lateral movement within their networks. The indefinite session persistence increases the window of opportunity for attackers to exploit the system undetected. Given the critical CVSS score, the impact is severe and could result in significant operational disruption, reputational damage, and regulatory non-compliance for affected organizations worldwide.

1. Immediate upgrade to ci4ms version 0.31.0.0 or later, where the vulnerability is patched. 2. Implement strict session management policies that enforce session invalidation upon account deletion or role changes. 3. Introduce session expiration mechanisms with reasonable timeouts to limit session lifetime. 4. Monitor active sessions and audit session activity regularly to detect anomalies or unauthorized persistence. 5. Employ multi-factor authentication (MFA) to reduce risk from compromised sessions. 6. Review and enhance backend logic to enforce access control checks continuously during session lifetime, not only at login. 7. Conduct penetration testing and code reviews focusing on session and access control mechanisms. 8. Educate administrators on promptly terminating sessions when user accounts are disabled or deleted. 9. Consider implementing real-time session revocation capabilities integrated with user management workflows.