Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.
AnalysisAI
Improper access control in Joomla! CMS com_scheduler component permits low-privileged authenticated backend users to modify the task types of existing scheduler tasks, an operation that should be restricted to higher-privileged administrators. Affected versions span Joomla! 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0. While no public exploit code exists and CISA KEV has not confirmed active exploitation, the high subsequent-system impact scores (SC:H/SI:H/SA:H) in the CVSS 4.0 vector indicate that tampering with scheduler task types can produce significant integrity and availability consequences beyond the immediately vulnerable component.
Technical ContextAI
The vulnerability resides in the com_scheduler component of the Joomla! CMS (CPE: cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:*), a built-in plugin that manages automated background tasks. The root cause is classified as CWE-284 (Improper Access Control), meaning the application fails to correctly enforce authorization boundaries when a backend user submits a request to change the task type of an already-existing scheduler job. Rather than verifying that the requesting user holds the appropriate ACL permission for that operation, the component processes the modification request regardless of privilege level. Because scheduler tasks in Joomla can invoke system-level plugins, file operations, or third-party integrations, unrestricted modification of task types exposes adjacent systems and services to unintended behavior - reflected in the CVSS 4.0 subsequent-system scores of SC:H/SI:H/SA:H.
RemediationAI
Apply the patched Joomla! CMS release identified in the official security advisory at https://developer.joomla.org/security-centre/1048-20260516-core-incorrect-access-control-in-com-scheduler.html - the exact fixed version numbers are not independently confirmed in the available intelligence data and should be verified there before upgrading. As a compensating control prior to patching, administrators can restrict backend login access to only fully trusted users via Joomla's ACL manager, reducing the pool of accounts capable of reaching the com_scheduler interface. Additionally, auditing existing scheduler tasks for unexpected task-type changes can serve as a detective control. Note that restricting backend access may affect legitimate editorial or content-management workflows and should be coordinated with site operators.
More in Joomla Cms
View allTransport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w
Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta
Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t
Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a
Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth
Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve
Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus
Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users
Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in
Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31879
GHSA-cwvc-2p7m-grcm