Improper Authentication in CodeIgniter4 - CVE-2022-46170

 

Improper Authentication in CodeIgniter4 - CVE-2022-46170

Published: December 22, 2022 / Updated: May 23, 2026


Vulnerability identifier: #VU132166
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-46170
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: CodeIgniter
Affected software:
CodeIgniter4

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper authentication in session handlers when handling applications configured with multiple session cookies using the DatabaseHandler, MemcachedHandler, or RedisHandler. A remote attacker can obtain one valid session cookie and use it to access pages that require another session cookie to bypass authentication.

Exploitation requires an application to use multiple session cookies.


How to mitigate CVE-2022-46170

Install security update from vendor's website.

Sources