Description
An improper access check allows unauthorized access to webservice endpoints.
Published: 2026-04-01
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Webservice Endpoints
Action: Apply Patch
AI Analysis

Impact

An improper access check in Joomla! CMS allows an attacker to call protected webservice endpoints without proper authentication, potentially exposing sensitive data or enabling unintended functionality; this flaw could be exploited to modify configuration, upload content, or otherwise compromise the application.

Affected Systems

The vulnerability affects the Joomla! CMS; no specific version constraints were listed, so any version of Joomla! CMS could be subject to the flaw until the patch is applied.

Risk and Exploitability

The flaw carries a CVSS score of 8.6, indicating high severity, but the EPSS score is below 1%, suggesting exploitation is unlikely at present and it is not listed in the CISA KEV catalog; the attack vector is inferred to be remote, through unauthenticated access to webservice endpoints, making the principal risk elevated for systems that expose these services without additional protection.

Generated by OpenCVE AI on April 9, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Joomla! CMS update that contains the fix for the improper access check in webservice endpoints.
  • If an update is not immediately available, disable or restrict access to the vulnerable webservice endpoints to prevent unauthorized usage.
  • Verify that all authentication and authorization checks are properly enforced for webservice operations.
  • Regularly monitor Joomla! security advisories and apply patches promptly.

Generated by OpenCVE AI on April 9, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla joomla\!
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla!
Vendors & Products Joomla
Joomla joomla!

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Description An improper access check allows unauthorized access to webservice endpoints.
Title Joomla! Core - [20260306] - Improper access check in webservice endpoints
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-04-02T07:56:08.444Z

Reserved: 2026-01-17T04:38:44.009Z

Link: CVE-2026-23899

cve-icon Vulnrichment

Updated: 2026-04-01T12:45:47.997Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T10:16:16.543

Modified: 2026-04-09T19:59:06.620

Link: CVE-2026-23899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:49Z

Weaknesses