Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An improper access check allows privilege escalation through the com_users batch task.
AnalysisAI
Privilege escalation in Joomla! CMS via the com_users batch task allows low-privileged authenticated users to bypass access controls and elevate their user group membership or permissions. Affected versions span two major release lines: 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0, as confirmed by ENISA EUVD-2026-31880 and the Joomla Security Centre. No public exploit has been identified and EPSS is effectively zero; however, SSVC assesses the technical impact as total, meaning successful exploitation could yield full privilege takeover within the application.
Technical ContextAI
Joomla! CMS is a widely-deployed PHP-based content management system. The vulnerability resides in the com_users component, specifically its batch processing task, which handles bulk operations on user accounts such as group assignment changes. CWE-284 (Improper Access Control) indicates the batch task endpoint fails to correctly verify whether the requesting authenticated user holds the necessary privileges to execute those operations - allowing a lower-privileged user to invoke functionality reserved for administrators. The affected CPE is cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:* spanning both the 4.x/5.x and 6.x release lines. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms remote exploitability with low complexity and no user interaction, requiring only low-level authentication.
RemediationAI
Upgrade Joomla! CMS to a release above 5.4.5 (for the 4.x/5.x line) or above 6.1.0 (for the 6.x line) per the Joomla Security Centre advisory at https://developer.joomla.org/security-centre/1047-20260515-core-incorrect-access-control-in-sample-data-plugins.html. The precise patched version numbers are not independently confirmed in available data beyond the stated affected ranges - consult the official advisory and Joomla release notes for the exact target upgrade version. As a compensating control prior to patching, use Joomla's built-in ACL manager to explicitly deny the com_users batch task permission from all non-administrator user groups; be aware this may restrict legitimate bulk user management workflows for lower-level managers. Additionally, disabling public user registration reduces the pool of potential attackers to already-known accounts, providing a meaningful reduction in attack surface without disrupting existing authenticated users.
More in Joomla Cms
View allTransport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users
Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in
Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31880
GHSA-rfwr-f8vm-98cv