Description
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.
Published: 2026-04-01
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Access Control Bypass
Action: Apply Patch
AI Analysis

Impact

The Joomla! AJAX component failed to enforce the default logged‑in user check within the administration interface. This oversight permits any user, including unauthenticated or insufficiently privileged accounts, to invoke administrative AJAX actions. The consequence is a privilege escalation to gain administrative capabilities, potentially allowing modification or disclosure of sensitive site data. The weakness is classified as an access control bypass under CWE‑284.

Affected Systems

The affected product is Joomla! CMS from the Joomla! Project. No specific affected version range is listed, but the issue applies to all releases prior to the fix that introduced ACL hardening in the com_ajax component. Administrators should verify that they are running the patched version or a release that includes the hardening.

Risk and Exploitability

The CVSS score is 6.3, indicating moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, the attack would most likely involve sending a web request to the com_ajax endpoint, though the exact network details are not explicitly documented, so the attack vector is inferred. Overall, organizations that can promptly patch can reduce the risk to a manageable level.

Generated by OpenCVE AI on April 9, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Joomla! CMS update that includes ACL hardening in com_ajax.
  • Verify that the com_ajax component is configured to enforce user authentication for all administrative actions.
  • Review custom extensions using com_ajax to ensure they respect the correct access control checks.

Generated by OpenCVE AI on April 9, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla joomla\!
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla!
Vendors & Products Joomla
Joomla joomla!

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Description The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.
Title Joomla! Core - [20260301] - ACL hardening in com_ajax
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-04-01T19:32:37.680Z

Reserved: 2026-01-01T04:42:27.960Z

Link: CVE-2026-21629

cve-icon Vulnrichment

Updated: 2026-04-01T12:44:18.391Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T10:16:15.790

Modified: 2026-04-09T20:00:04.767

Link: CVE-2026-21629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:48Z

Weaknesses