CVE-2026-34570

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0

Description The application does not immediately revoke active user sessions when an account is deleted. This is due to a logic flaw where account state changes are only enforced during login, not for existing sessions. The system incorrectly assumes authenticated users remain trustworthy even after account deletion, leading to indefinite access until manual logout. This breaks access control and allows persistent unauthorized access. The issue affects all authenticated endpoints, including administrative and content interfaces.

Recommendations Immediately invalidate all active sessions when an account is deleted. Enforce account status checks on every authenticated request, not only during login. Introduce proper session expiration or account expiration mechanisms to prevent indefinite access. Correct the backend logic flaw to ensure access control behavior aligns with intended security design and does not rely on unsafe trust assumptions.