Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
An improper access check allows privilege escalation through the com_users batch task.
AnalysisAI
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users batch task due to an improper access check (CWE-284). The flaw enables unauthorized modification of user accounts and elevation of privileges across affected installations, with no public exploit identified at time of analysis. EPSS scoring is 0.00% and the vulnerability is not listed in CISA KEV, but the CVSSv4 base score of 8.2 reflects high integrity impact.
Technical ContextAI
Joomla! is a widely deployed PHP-based content management system, and com_users is its core component responsible for managing user accounts, groups, and ACL assignments. The batch task within com_users is intended for administrators to apply bulk operations (such as group reassignment or state changes) across multiple user records. CWE-284 (Improper Access Control) indicates the batch task endpoint does not adequately verify whether the requesting user holds the privileges needed to perform the targeted change, permitting cross-tier modification of user records and effective privilege elevation. The CVSS vector (AV:N/AC:L/AT:P/PR:N/UI:N) further indicates this is reachable over the network with low complexity, though the AT:P (Attack Requirements: Present) flag implies some deployment-specific precondition must be met for the batch task path to be reachable.
RemediationAI
Patch available per vendor advisory - upgrade Joomla! CMS to a version newer than 5.4.5 in the 5.x branch or newer than 6.1.0 in the 6.x branch as specified at https://developer.joomla.org/security-centre/1045-20260513-core-privilege-escalation-through-com-users-batch-task.html; exact fixed version numbers were not independently confirmed in the available data and should be taken from that advisory. Until the upgrade is applied, restrict access to the /administrator/ backend via IP allow-listing or VPN to limit reachability of com_users endpoints (trade-off: blocks legitimate remote admin sessions), audit user group memberships and recent batch operations in the audit log for unexpected privilege grants, and consider temporarily disabling or restricting use of the User Manager batch operation through ACL review. Avoid relying solely on WAF rules, as the batch task uses standard component routing that is difficult to distinguish from legitimate admin traffic.
More in Joomla Cms
View allTransport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus
Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in
Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani
Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31873
GHSA-8p98-hxh2-cfpv