Improper Authentication in CodeIgniter4 - CVE-2022-46170
Published: December 22, 2022 / Updated: May 23, 2026
CodeIgniter4
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to improper authentication in session handlers when handling applications configured with multiple session cookies using the DatabaseHandler, MemcachedHandler, or RedisHandler. A remote attacker can obtain one valid session cookie and use it to access pages that require another session cookie to bypass authentication.
Exploitation requires an application to use multiple session cookies.