Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
AnalysisAI
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abuse an improper access check in the com_users group editing webservice endpoint to elevate privileges. The CVSS 4.0 vector indicates network-reachable exploitation without authentication or user interaction, with high impact to integrity but no confidentiality or availability impact. There is no public exploit identified at time of analysis and EPSS is effectively 0%, but the vendor advisory confirms the access-control flaw.
Technical ContextAI
Joomla! CMS exposes a REST webservice API under com_users that handles user group management. The vulnerability is rooted in CWE-284 (Improper Access Control): the group editing endpoint fails to correctly verify that the caller is authorized to modify user group memberships or group definitions, which are the primary mechanism for assigning privileges (including Super User) in Joomla's ACL model. Because Joomla webservices are reachable over HTTP and the access check is the security boundary that gates privilege assignment, a missing or broken check on this specific endpoint directly translates into an ability to alter authorization data. The affected CPE is cpe:2.3:a:joomla!_project:joomla!_cms across the version ranges named in the EUVD advisory.
RemediationAI
Patch available per vendor advisory: upgrade to a fixed Joomla! release in the 5.x or 6.x branch as published in the Joomla Security Centre advisory at https://developer.joomla.org/security-centre/1046-20260514-core-privilege-escalation-through-com-users-webservice-endpoints.html (exact fix version should be taken from that advisory, as the EUVD data only lists the vulnerable ranges 4.0.0-5.4.5 and 6.0.0-6.1.0). If patching cannot be performed immediately, the most targeted compensating control is to disable or restrict the com_users webservice endpoint - either by turning off the Web Services - Users plugin in the Joomla extensions manager, or by blocking access to the /api/index.php/v1/users/groups paths at the reverse proxy or WAF; the trade-off is that any legitimate API-based user/group administration will break. Additionally, restrict access to the /api/ tree to known administrative IP ranges where feasible, and audit Joomla group memberships and Super User accounts for unexpected changes since exposure began.
More in Joomla Cms
View allTransport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users
Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in
Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani
Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31875
GHSA-x9j9-9cc9-85fc