CVE-2026-34572 is a critical improper access control vulnerability identified in ci4ms, a modular CMS built on the CodeIgniter 4 framework. The root cause lies in the backend logic that fails to revoke active user sessions when an account is deactivated. Specifically, the system enforces account state changes only during the authentication process (login), assuming that once authenticated, users remain trusted for the entire session duration. There is no mechanism to expire or invalidate sessions upon account deactivation, allowing deactivated users to maintain persistent access until they manually log out. This behavior violates the principle of least privilege and breaks the intended Role-Based Access Control (RBAC) policy. The vulnerability is classified under CWE-284 (Improper Access Control), CWE-613 (Insufficient Session Expiration), and CWE-1254 (Session Fixation or Improper Session Handling). The CVSS v3.1 base score is 8.8 (high), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. The issue was resolved in ci4ms version 0.31.0.0 by implementing immediate session revocation upon account deactivation and improving session expiration handling. No public exploits have been reported yet, but the flaw presents a significant risk for unauthorized persistent access in affected deployments.

The vulnerability allows deactivated users to retain unauthorized access to the system indefinitely, potentially leading to data breaches, unauthorized modifications, and disruption of services. This undermines the integrity of access control policies and can facilitate insider threats or compromised accounts to persist undetected. Organizations relying on ci4ms for content management or enterprise resource planning may face exposure of sensitive information, unauthorized administrative actions, and potential compliance violations. The persistence of active sessions despite account deactivation complicates incident response and forensic investigations. The broad impact on confidentiality, integrity, and availability makes this a critical risk, especially for organizations with high-value data or regulatory requirements. Attackers with low privileges can exploit this flaw remotely without user interaction, increasing the threat surface and ease of exploitation.

Organizations should immediately upgrade ci4ms to version 0.31.0.0 or later, where the vulnerability is patched. In addition to patching, it is recommended to implement the following measures: 1) Enforce strict session management policies, including session expiration and invalidation upon account state changes; 2) Monitor active sessions continuously and provide administrators with tools to forcibly terminate sessions associated with deactivated accounts; 3) Implement multi-factor authentication to reduce risk from compromised credentials; 4) Conduct regular audits of user sessions and access logs to detect anomalies; 5) Harden backend logic to validate user account status on every sensitive operation, not just at login; 6) Educate users and administrators about the importance of logging out and promptly reporting suspicious activity; 7) Deploy Web Application Firewalls (WAF) with custom rules to detect abnormal session behaviors; 8) Integrate session management with centralized identity and access management (IAM) solutions to improve control and visibility. These steps will reduce the risk of persistent unauthorized access and improve overall security posture.