Skip to main content

Joomla Cms CVE-2026-21629

| EUVDEUVD-2026-17853 MEDIUM
Improper Access Control (CWE-284)
2026-04-01 Joomla
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 10:00 euvd
EUVD-2026-17853
Analysis Generated
Apr 01, 2026 - 10:00 vuln.today
CVE Published
Apr 01, 2026 - 09:03 nvd
MEDIUM 6.3

DescriptionCVE.org

The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

AnalysisAI

Joomla CMS fails to enforce authenticated user checks on the AJAX component in the administrative area, allowing potential authentication bypass and unauthorized access to sensitive functionality. Third-party developers expecting default access controls may expose administrative features to unauthenticated or unauthorized users. No CVSS score or public exploit code has been identified, but the vulnerability affects all Joomla CMS versions and requires immediate review of custom AJAX implementations that rely on implicit authentication enforcement.

Technical ContextAI

The vulnerability stems from improper access control enforcement (CWE-284: Improper Access Control) in Joomla's AJAX component architecture. The AJAX endpoint in the administrative area was excluded from Joomla's default logged-in-user authentication check, which represents a deviation from the expected security model. Third-party component developers who integrate with this AJAX component may have implemented custom handlers assuming the parent framework enforces authentication, when in fact the component explicitly bypasses such checks. This creates a gap between documented security assumptions and actual runtime behavior, potentially exposing administrative functionality to unauthorized access.

RemediationAI

Joomla recommends hardening of ACL (Access Control List) enforcement in the com_ajax component per the official security advisory at https://developer.joomla.org/security-centre/1027-20260301-core-acl-hardening-in-com-ajax.html. Administrators should review and update to the patched version specified in the Joomla security notice. Third-party component developers must audit custom AJAX handlers to ensure they explicitly enforce authentication and authorization checks rather than relying on implicit framework-level enforcement. Any AJAX endpoints in administrative components should include explicit user authentication verification before processing requests.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

Share

CVE-2026-21629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy