Skip to main content

Joomla! CMS CVE-2026-48898

| EUVDEUVD-2026-31873 HIGH
Improper Access Control (CWE-284)
2026-05-26 Joomla GHSA-8p98-hxh2-cfpv
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 08:59 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
8.2 (HIGH)
CVE Published
May 26, 2026 - 16:42 nvd
UNKNOWN (no severity yet)
CVE Published
May 26, 2026 - 16:42 nvd
HIGH 8.2

DescriptionCVE.org

An improper access check allows privilege escalation through the com_users batch task.

AnalysisAI

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users batch task due to an improper access check (CWE-284). The flaw enables unauthorized modification of user accounts and elevation of privileges across affected installations, with no public exploit identified at time of analysis. EPSS scoring is 0.00% and the vulnerability is not listed in CISA KEV, but the CVSSv4 base score of 8.2 reflects high integrity impact.

Technical ContextAI

Joomla! is a widely deployed PHP-based content management system, and com_users is its core component responsible for managing user accounts, groups, and ACL assignments. The batch task within com_users is intended for administrators to apply bulk operations (such as group reassignment or state changes) across multiple user records. CWE-284 (Improper Access Control) indicates the batch task endpoint does not adequately verify whether the requesting user holds the privileges needed to perform the targeted change, permitting cross-tier modification of user records and effective privilege elevation. The CVSS vector (AV:N/AC:L/AT:P/PR:N/UI:N) further indicates this is reachable over the network with low complexity, though the AT:P (Attack Requirements: Present) flag implies some deployment-specific precondition must be met for the batch task path to be reachable.

RemediationAI

Patch available per vendor advisory - upgrade Joomla! CMS to a version newer than 5.4.5 in the 5.x branch or newer than 6.1.0 in the 6.x branch as specified at https://developer.joomla.org/security-centre/1045-20260513-core-privilege-escalation-through-com-users-batch-task.html; exact fixed version numbers were not independently confirmed in the available data and should be taken from that advisory. Until the upgrade is applied, restrict access to the /administrator/ backend via IP allow-listing or VPN to limit reachability of com_users endpoints (trade-off: blocks legitimate remote admin sessions), audit user group memberships and recent batch operations in the audit log for unexpected privilege grants, and consider temporarily disabling or restricting use of the User Manager batch operation through ACL review. Avoid relying solely on WAF rules, as the batch task uses standard component routing that is difficult to distinguish from legitimate admin traffic.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

CVE-2026-30895 MEDIUM
6.9 May 26

Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec

Share

CVE-2026-48898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy