PT-2026-37161 · Ci4Ms · Ci4Ms
Dapickle
·
Published
2026-05-04
·
Updated
2026-05-07
·
CVE-2026-41891
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
CI4MS versions 0.26.0 through 0.31.7.0
Description
The auth filter contains commented-out code for checking if a user is deactivated or banned. While the
loggedIn() function in CodeIgniter Shield verifies the status field to identify banned users, it does not re-verify the active field for existing sessions. Consequently, if an administrator deactivates a user by setting active to 0 after the user has already authenticated, the session cookie remains valid and auth()->loggedIn() continues to return true. This allows a deactivated user to maintain full backend access until their session expires.Recommendations
Update to version 0.31.8.0.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ci4Ms