CVE-2026-34570

CVE-2026-34570 is a high-severity security vulnerability in ci4-cms-erp/ci4ms (composer), affecting versions <= 0.28.6.0. It is fixed in 0.31.0.0.

Summary

Vulnerability: Improper Session Invalidation on Account Deletion (Broken Access Control / Logic Flaw)

  • This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly deleted. As a result, administrative security actions do not behave as intended, allowing persistent unauthorized access.

Description

The application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions.

The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw.

Affected Functionality

  • User session management and authentication logic
  • Account deletion mechanism
  • All authenticated endpoints, including administrative and content interfaces

Attack Scenario

  • A user logs into the application.
  • An administrator deletes the user account.
  • The user remains fully logged in and can continue performing all actions allowed by their role indefinitely, as there is no session expiration.
  • The user can continue invoking backend methods, triggering application actions, accessing sensitive interfaces (including user management if permitted), and interacting with the system as if the account were still active.
  • Access is only lost if the user manually logs out, which may never occur.

Steps To Reproduce (PoC)

  1. Create or use an existing user account.
  2. Log into the application using this account.
  3. From an administrative account, delete the logged-in user account.
  4. Observe that the target user remains authenticated.
  5. Verify that the user can still access protected functionality, invoke actions, and interact with the application as before.
  6. Confirm that the user only loses access after manually logging out (if they choose to do so).

Ready Video POC:

https://mega.nz/file/7dlUTQAB#0oXOapF5XYN4DRRG1xYj6DajmuP72MpMdsHqbVBMmWw

Impact

  • Unauthorized Continued Access: Deleted users retain full access indefinitely, violating intended access control and expected security behavior.
  • Bypass of Administrative Controls: Administrative actions (deletion) fail to immediately restrict active sessions.
  • Logic Flaw Resulting in Broken Behavior: Backend authorization logic relies on a flawed trust assumption that authenticated users remain valid, enforcing account state only at login.
  • Full Functional Access Retained: Deleted users can continue invoking application methods, executing actions, interacting with protected endpoints, and using the system exactly as before deletion.
  • Privilege Abuse: Users with elevated roles (moderator, editor, administrator) can continue performing privileged actions after account deletion, including accessing user management interfaces and modifying application state.
  • Service Disruption Potential: Persistent access allows attackers to disrupt services, manipulate content, or interfere with normal application operations.
  • Attack Persistence: Attackers can maintain access indefinitely, increasing the risk of data exfiltration, unauthorized modifications, or further privilege escalation.
  • False Sense of Remediation: Administrators may believe a threat has been mitigated while the deleted user remains active within the system.

Endpoint Example: Any endpoint accessible to authenticated users, including dashboards, administrative interfaces, user management pages, and API endpoints.

CVE-2026-34570 has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.31.0.0); upgrading removes the vulnerable code path.

Affected versions

ci4-cms-erp/ci4ms (<= 0.28.6.0)

Security releases

ci4-cms-erp/ci4ms → 0.31.0.0 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

  • Immediately invalidate all active sessions when an account is deleted.
  • Enforce account status checks on every authenticated request, not only during login.
  • Introduce proper session expiration or account expiration mechanisms to prevent indefinite access.
  • Correct the backend logic flaw to ensure access control behavior aligns with intended security design and does not rely on unsafe trust assumptions.

Frequently Asked Questions

  1. What is CVE-2026-34570? CVE-2026-34570 is a high-severity security vulnerability in ci4-cms-erp/ci4ms (composer), affecting versions <= 0.28.6.0. It is fixed in 0.31.0.0.
  2. How severe is CVE-2026-34570? CVE-2026-34570 has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of ci4-cms-erp/ci4ms are affected by CVE-2026-34570? ci4-cms-erp/ci4ms (composer) versions <= 0.28.6.0 is affected.
  4. Is there a fix for CVE-2026-34570? Yes. CVE-2026-34570 is fixed in 0.31.0.0. Upgrade to this version or later.
  5. Is CVE-2026-34570 exploitable, and should I be worried? Whether CVE-2026-34570 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-34570 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-34570? Upgrade ci4-cms-erp/ci4ms to 0.31.0.0 or later.

Other vulnerabilities in ci4-cms-erp/ci4ms

CVE-2026-45270CVE-2026-45138CVE-2026-41891CVE-2026-41890CVE-2026-41587

Stop the waste.
Protect your environment with Kodem.