CVE-2026-23899: Improper Access Check in Joomla! com_config Webservices
Vulnerability ID: CVE-2026-23899
CVSS Score: 8.8
Published: 2026-04-01
CVE-2026-23899 is a critical authorization bypass vulnerability within the Joomla! CMS webservice API. Due to an improper access check in the com_config component, authenticated low-privileged users can read and modify the global configuration, leading to the exposure of database credentials and the application secret key.
TL;DR
An authorization bypass in Joomla! webservice endpoints allows authenticated low-privileged users to read and modify sensitive configuration settings, resulting in total system compromise.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-284
- Attack Vector: Network
- Privileges Required: Low (API Token)
- CVSS v3.1 Score: 8.8
- EPSS Score: 0.00001
- Exploit Status: Proof of Concept
Affected Systems
- Joomla! CMS
-
Joomla! CMS: 4.0.0 - 5.4.3 (Fixed in:
5.4.4) -
Joomla! CMS: 6.0.0 - 6.0.3 (Fixed in:
6.0.4)
Mitigation Strategies
- Upgrade Joomla! core to versions 5.4.4 or 6.0.4
- Rotate all credentials stored in configuration.php
- Restrict API access network-wise if not explicitly required
Remediation Steps:
- Backup the current Joomla! installation and database.
- Apply the 5.4.4 or 6.0.4 update via the Joomla Update component.
- Change the database user password on the SQL server and update configuration.php accordingly.
- Rotate the SMTP password used for email relay.
- Generate a new cryptographic secret key in configuration.php to invalidate existing sessions.
References
- Joomla Developer Security Advisory
- CVE.org Record
- CyStack Technical Research
- SentinelOne Vulnerability Database
- Joomla Release Announcement
Read the full report for CVE-2026-23899 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)