Summary
Vulnerability: Improper Session Invalidation on Account Deactivation (Broken Access Control / Logic Flaw)
- This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly deactivated. As a result, administrative security actions do not behave as intended, allowing persistent unauthorized access.
Description
The application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions.
The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw.
Affected Functionality
- User session management and authentication logic
- Account deactivation mechanism
- All authenticated endpoints, including administrative and content interfaces
Attack Scenario
- A user logs into the application.
- An administrator deactivates the user account.
- The user remains fully logged in and can continue performing all actions allowed by their role indefinitely, as there is no session expiration.
- The user can continue invoking backend methods, triggering application actions, accessing sensitive interfaces (including user management if permitted), and interacting with the system as if the account were still active.
- Access is only lost if the user manually logs out, which may never occur.
Steps To Reproduce (PoC)
- Create or use an existing user account.
- Log into the application using this account.
- From an administrative account, deactivate the logged-in user account.
- Observe that the target user remains authenticated.
- Verify that the user can still access protected functionality, invoke actions, and interact with the application as before.
- Confirm that the user only loses access after manually logging out (if they choose to do so).
Ready Video POC:
https://mega.nz/file/zJkhwCII#G1-TecKmNBJmEeBS0ExsAY_RXEmAl3QqMqu4t5oy844
Impact
- Unauthorized Continued Access: Deactivated users retain full access indefinitely, violating intended access control and expected security behavior.
- Bypass of Administrative Controls: Administrative actions (deactivation) fail to immediately restrict active sessions.
- Logic Flaw Resulting in Broken Behavior: Backend authorization logic relies on a flawed trust assumption that authenticated users remain valid, enforcing account state only at login.
- Full Functional Access Retained: Deactivated users can continue invoking application methods, executing actions, interacting with protected endpoints, and using the system exactly as before being deactivated.
- Privilege Abuse: Users with elevated roles (moderator, editor, administrator) can continue performing privileged actions after account deactivation, including accessing user management interfaces and modifying application state.
- Service Disruption Potential: Persistent access allows attackers to disrupt services, manipulate content, or interfere with normal application operations.
- Attack Persistence: Attackers can maintain access indefinitely, increasing the risk of data exfiltration, unauthorized modifications, or further privilege escalation.
- False Sense of Remediation: Administrators may believe a threat has been mitigated while the deactivated user remains active within the system.
Endpoint Example: Any endpoint accessible to authenticated users, including dashboards, administrative interfaces, user management pages, and API endpoints.
CVE-2026-34572 has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.31.0.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
- Immediately invalidate all active sessions when an account is deactivated.
- Enforce account status checks on every authenticated request, not only during login.
- Introduce proper session expiration or account expiration mechanisms to prevent indefinite access.
- Correct the backend logic flaw to ensure access control behavior aligns with intended security design and does not rely on unsafe trust assumptions.
Frequently Asked Questions
- What is CVE-2026-34572? CVE-2026-34572 is a high-severity security vulnerability in ci4-cms-erp/ci4ms (composer), affecting versions <= 0.28.6.0. It is fixed in 0.31.0.0.
- How severe is CVE-2026-34572? CVE-2026-34572 has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of ci4-cms-erp/ci4ms are affected by CVE-2026-34572? ci4-cms-erp/ci4ms (composer) versions <= 0.28.6.0 is affected.
- Is there a fix for CVE-2026-34572? Yes. CVE-2026-34572 is fixed in 0.31.0.0. Upgrade to this version or later.
- Is CVE-2026-34572 exploitable, and should I be worried? Whether CVE-2026-34572 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-34572 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-34572? Upgrade
ci4-cms-erp/ci4msto 0.31.0.0 or later.