GHSA-4vxv-4xq4-p84h

Source

https://github.com/advisories/GHSA-4vxv-4xq4-p84h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4vxv-4xq4-p84h/GHSA-4vxv-4xq4-p84h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4vxv-4xq4-p84h

Aliases

CVE-2026-34570

Published

2026-04-01T22:08:29Z

Modified

2026-04-01T22:18:38.223665Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

Details

Summary

Vulnerability: Improper Session Invalidation on Account Deletion (Broken Access Control / Logic Flaw)

This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly deleted. As a result, administrative security actions do not behave as intended, allowing persistent unauthorized access.

Description

The application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions.

The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw.

Affected Functionality

User session management and authentication logic
Account deletion mechanism
All authenticated endpoints, including administrative and content interfaces

Attack Scenario

A user logs into the application.
An administrator deletes the user account.
The user remains fully logged in and can continue performing all actions allowed by their role indefinitely, as there is no session expiration.
The user can continue invoking backend methods, triggering application actions, accessing sensitive interfaces (including user management if permitted), and interacting with the system as if the account were still active.
Access is only lost if the user manually logs out, which may never occur.

Impact

Unauthorized Continued Access: Deleted users retain full access indefinitely, violating intended access control and expected security behavior.
Bypass of Administrative Controls: Administrative actions (deletion) fail to immediately restrict active sessions.
Logic Flaw Resulting in Broken Behavior: Backend authorization logic relies on a flawed trust assumption that authenticated users remain valid, enforcing account state only at login.
Full Functional Access Retained: Deleted users can continue invoking application methods, executing actions, interacting with protected endpoints, and using the system exactly as before deletion.
Privilege Abuse: Users with elevated roles (moderator, editor, administrator) can continue performing privileged actions after account deletion, including accessing user management interfaces and modifying application state.
Service Disruption Potential: Persistent access allows attackers to disrupt services, manipulate content, or interfere with normal application operations.
Attack Persistence: Attackers can maintain access indefinitely, increasing the risk of data exfiltration, unauthorized modifications, or further privilege escalation.
False Sense of Remediation: Administrators may believe a threat has been mitigated while the deleted user remains active within the system.

Endpoint Example: Any endpoint accessible to authenticated users, including dashboards, administrative interfaces, user management pages, and API endpoints.

Steps To Reproduce (PoC)

Create or use an existing user account.
Log into the application using this account.
From an administrative account, delete the logged-in user account.
Observe that the target user remains authenticated.
Verify that the user can still access protected functionality, invoke actions, and interact with the application as before.
Confirm that the user only loses access after manually logging out (if they choose to do so).

Remediation

Immediately invalidate all active sessions when an account is deleted.
Enforce account status checks on every authenticated request, not only during login.
Introduce proper session expiration or account expiration mechanisms to prevent indefinite access.
Correct the backend logic flaw to ensure access control behavior aligns with intended security design and does not rely on unsafe trust assumptions.

Ready Video POC:

https://mega.nz/file/7dlUTQAB#0oXOapF5XYN4DRRG1xYj6DajmuP72MpMdsHqbVBMmWw

Database specific

{
    "cwe_ids": [
        "CWE-1254",
        "CWE-284",
        "CWE-613"
    ],
    "github_reviewed": true,
    "nvd_published_at": null,
    "severity": "HIGH",
    "github_reviewed_at": "2026-04-01T22:08:29Z"
}

References

Affected packages

Packagist / ci4-cms-erp/ci4ms

Package

Name: ci4-cms-erp/ci4ms
Purl: pkg:composer/ci4-cms-erp/ci4ms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.31.0.0

Affected versions

0.*

0.21.0

0.21.1

0.21.2

0.21.3

0.21.3.1

0.21.3.2

0.21.3.3

0.21.3.4

0.21.3.5

0.21.3.6

0.21.3.7

0.23.0.0

0.23.0.1

0.23.0.2

0.23.1.0

0.24.0.0

0.24.0.16

0.24.0.18

0.24.0.19

0.24.0.20

0.24.0.27

0.24.0.42

0.24.0.45

0.24.0.60

0.25.0.0

0.25.0.1

0.25.0.2

0.25.0.30

0.25.0.39

0.25.0.43

0.25.1.0

0.25.2.0

0.25.3.0

0.26.0.0

0.26.1.0

0.26.2.0

0.26.3.0

0.26.3.1

0.26.3.2

0.26.3.3

0.26.3.4

0.27.0.0

0.28.0.0

0.28.3.0

0.28.4.0

0.28.5.0

0.28.6.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4vxv-4xq4-p84h/GHSA-4vxv-4xq4-p84h.json"

last_known_affected_version_range

"<= 0.28.6.0"