CVE-2026-34572

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0

Description The application does not immediately revoke active user sessions when an account is deactivated. This is due to a logic flaw where account state changes are only enforced during login, not for existing sessions. The system assumes authenticated users remain trusted indefinitely, lacking session or account expiration mechanisms. This allows deactivated accounts to retain access until manual logout, breaking access control and resulting in unauthorized access. This issue affects all authenticated endpoints, including administrative and content interfaces.

Recommendations Immediately invalidate all active sessions when an account is deactivated. Enforce account status checks on every authenticated request. Introduce session expiration or account expiration mechanisms. Correct the backend logic flaw to ensure access control aligns with security design.