Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
AnalysisAI
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor authentication (MFA) due to insufficient state validation during the login flow. The flaw, tracked as CVE-2026-48897 and reported by the Joomla! project, undermines the integrity protections expected from 2FA and could grant attackers access to accounts whose credentials are already known or guessable. EPSS probability is low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability sits in Joomla!'s core MFA implementation, which is part of the authentication pipeline for both the front-end and administrator interfaces. CWE-287 (Improper Authentication) here manifests as insufficient state checks: the application does not properly verify that the MFA challenge stage has been completed before transitioning a session to an authenticated state, meaning an attacker can manipulate the authentication state machine to skip the second factor. The CPE string cpe:2.3:a:joomla!_project:joomla!_cms:*:*:* confirms the issue is in the core CMS product (PHP-based web platform), not a third-party extension.
RemediationAI
Upgrade to a Joomla! CMS release outside the affected ranges as identified in the vendor advisory at https://developer.joomla.org/security-centre/1044-20260512-core-mfa-authentication-bypass.html (patch available per vendor advisory; the exact fixed version should be taken from that advisory as it is not independently enumerated in the provided data). Until patched, compensating controls include disabling MFA bypass-prone login paths by restricting administrator access to known IP ranges via web server or WAF rules, forcing password resets on privileged accounts to neutralise any pre-compromised first-factor credentials, and monitoring authentication logs for sessions that reach authenticated state without a corresponding MFA-success event - note that IP allow-listing can lock out legitimate remote admins and aggressive monitoring may produce noise on busy sites.
More in Joomla Cms
View allTransport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users
Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in
Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani
Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31883
GHSA-f2ph-7g59-rhf9