Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34570 describes a broken access control vulnerability within the ci4-cms-erp/ci4ms component. This flaw stems from a logic error where user sessions are not immediately invalidated when an account is deleted, leading to persistent unauthorized access. The vulnerability impacts versions of ci4-cms-erp up to and including 0.28.6.0. A patch is available in version 0.31.0.0.
The core impact of CVE-2026-34570 is the potential for session hijacking. An attacker who has previously interacted with a legitimate user account can delete that account, and if the session is not properly invalidated, the attacker can continue to use the existing session token to impersonate the deleted user. This allows them to perform actions with the privileges associated with that user, potentially gaining access to sensitive data or performing administrative functions. The blast radius is directly tied to the privileges of the compromised user account; an attacker gaining access to an administrator account could compromise the entire system. This vulnerability highlights a critical failure in access control logic, where the system incorrectly assumes that authenticated users remain trustworthy even after their accounts are removed.
CVE-2026-34570 was published on 2026-04-01. Severity is rated HIGH with a CVSS score of 8.8. Currently, there are no publicly known Proof-of-Concept (POC) exploits. The EPSS score is pending evaluation. It is not currently listed on KEV or CISA Known Exploited Vulnerabilities catalogs, suggesting no active exploitation campaigns are known at this time.
Exploit Status
EPSS
0.08% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34570 is to upgrade to version 0.31.0.0 of ci4-cms-erp, which contains the fix for this broken access control issue. If immediate upgrading is not feasible, consider implementing temporary workarounds. Review and strengthen account deletion processes to ensure all session tokens are immediately revoked. Implement stricter session timeout policies to limit the window of opportunity for attackers. Consider using a Web Application Firewall (WAF) with rules to detect and block suspicious session activity, particularly related to account deletion events. Monitor system logs for unusual login patterns or account deletion activity that could indicate exploitation.
Actualice a la versión 0.31.0.0 o posterior para mitigar la vulnerabilidad. Esta actualización corrige la falla lógica en la invalidación de la sesión, asegurando que las cuentas eliminadas pierdan acceso inmediatamente y evitando el acceso persistente no autorizado.
Vulnerability analysis and critical alerts directly to your inbox.
It's a broken access control vulnerability in ci4-cms-erp where user sessions aren't invalidated upon account deletion, allowing persistent unauthorized access.
If you're using ci4-cms-erp versions 0.28.6.0 or earlier, you are potentially affected by this vulnerability.
Upgrade to version 0.31.0.0 of ci4-cms-erp. If upgrading isn't possible immediately, implement temporary workarounds like stricter session timeouts and WAF rules.
Currently, there are no publicly known Proof-of-Concept exploits or active exploitation campaigns reported for CVE-2026-34570.
Refer to the official CVE entry on the NVD (National Vulnerability Database) and the vendor's security advisory for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.