Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
AnalysisAI
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent MFA checks due to insufficient state validation during the authentication flow. The flaw (CWE-287) was disclosed by the Joomla! project itself and tracked as EUVD-2026-31890; no public exploit identified at time of analysis and EPSS is very low (0.01%, 2nd percentile), but the integrity impact is high since attackers reaching this path effectively defeat the second authentication factor.
Technical ContextAI
Joomla! is a widely deployed PHP-based open-source CMS, and the affected component is its core MFA (multi-factor authentication) subsystem, as confirmed by the vendor advisory titled 'Core MFA authentication bypass.' The root cause maps to CWE-287 (Improper Authentication): the login state machine fails to consistently verify that the second-factor challenge has been satisfied before promoting the session to fully authenticated. CPE data (cpe:2.3:a:joomla!_project:joomla!_cms) and the EUVD-listed version ranges (4.0.0-5.4.5 and 6.0.0-6.1.0) indicate the defect is present across both the current 5.x maintenance line and the new 6.x major line, suggesting the flawed state-check logic was carried forward during the major version transition.
RemediationAI
Upgrade to a fixed Joomla! release immediately above the affected ranges - i.e., a 5.4.x release later than 5.4.5 on the 5.x maintenance line, or a 6.1.x release later than 6.1.0 on the 6.x line; consult the Joomla! security advisory at https://developer.joomla.org/security-centre/1043-20260511-core-mfa-authentication-bypass.html for the exact patched build numbers, as a vendor-released patch is referenced by the advisory but a specific fix version is not enumerated in the input data. Until the upgrade is applied, compensating controls include enforcing strong, unique passwords and rotating credentials for any account that relies on MFA as a compensating factor (since the bypass collapses MFA back to single-factor security), restricting administrator login to known IP ranges via web server or WAF rules (trade-off: blocks legitimate remote admins), monitoring authentication logs for sessions that transition to authenticated state without a corresponding MFA challenge event, and temporarily limiting the use of privileged accounts on internet-exposed Joomla! installations until patched.
More in Joomla Cms
View allTransport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users
Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in
Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani
Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31890
GHSA-xcpx-mpjq-w6ph