GHSA-5HFV-C864-QCQ9

Vulnerability from github – Published: 2026-05-04 20:50 – Updated: 2026-05-08 20:14
VLAI
Summary
CI4MS has a Deactivated User Session Bypass (active=0)
Details

Summary

The auth filter has the deactivated/banned user check commented out.

Details

CodeIgniter Shield's loggedIn() re-checks the status field (catching status='banned'), but does not re-check the active field for existing sessions. When an admin deactivates a user (active=0) after they have already logged in: - Their session cookie remains valid - auth()->loggedIn() still returns true - The commented-out code is the only mechanism that would have checked !$user->active

Evidence

image

Impact

  • User deactivation does NOT immediately revoke backend access
  • Deactivated user retains full access until session expires (default: 7200s)

Additional note

The commented-out block appears to be a deferred placeholder — it was written but disabled from the very first commit that introduced the filter, and has never been active. The later addition of SessionTracker (v0.31.4.0) suggests the dev was aware of the session revocation gap, but account-level deactivation (users.active = 0) remains unenforced. Could you verify if this is intentionally pending or simply forgotten and not documented?.

Severity
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.31.7.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "ci4-cms-erp/ci4ms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.26.0"
            },
            {
              "fixed": "0.31.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T20:50:55Z",
    "nvd_published_at": "2026-05-07T04:16:33Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe auth filter has the deactivated/banned user check commented out. \n\n### Details\nCodeIgniter Shield\u0027s `loggedIn()` re-checks the `status` field (catching `status=\u0027banned\u0027`), but does **not** re-check the `active` field for existing sessions. When an admin deactivates a user (`active=0`) after they have already logged in:\n- Their session cookie remains valid\n- `auth()-\u003eloggedIn()` still returns `true`\n- The commented-out code is the only mechanism that would have checked `!$user-\u003eactive`\n\n### Evidence\n\u003cimg width=\"981\" height=\"654\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6f75d144-5bcf-4a3f-bc35-bb0715c3ed05\" /\u003e\n\n\n### Impact\n- User deactivation does NOT immediately revoke backend access\n- Deactivated user retains full access until session expires (default: 7200s)\n\n### Additional note\nThe commented-out block appears to be a deferred placeholder \u2014 it was written but disabled from the very first commit that introduced the filter, and has never been active. The later addition of SessionTracker (v0.31.4.0) suggests the dev was aware of the session revocation gap, but account-level deactivation (users.active = 0) remains unenforced. Could you verify if this is intentionally pending or simply forgotten and not documented?.",
  "id": "GHSA-5hfv-c864-qcq9",
  "modified": "2026-05-08T20:14:41Z",
  "published": "2026-05-04T20:50:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5hfv-c864-qcq9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/commit/2f38284281ce6b435ea42003951f14109ac2cea7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ci4-cms-erp/ci4ms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CI4MS has a Deactivated User Session Bypass (active=0)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.