Description
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.
Published: 2026-05-26
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a classic Cross‑Site Request Forgery flaw, rated CWE‑352, where the activation endpoint of the com_users component does not enforce a CSRF token. An attacker can craft a malicious request that, when submitted by an authenticated administrator, can activate or promote a user account without permission. This can lead to unauthorized administrator accounts or privilege elevation, compromising the confidentiality and integrity of the site. The CVSS score of 4.6 indicates a moderate severity of the flaw.

Affected Systems

The vulnerability affects Joomla! CMS installations that expose the com_users activation endpoint. No specific version range is listed, so any Joomla! deployment that includes the com_users component and does not apply a CSRF token check on the activation route may be vulnerable.

Risk and Exploitability

The CVSS rating of 4.6 reflects the requirement of a valid administration session for exploitation. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating that widespread exploitation has not been observed. Based on the description, it is inferred that the attack vector is a web‑based CSRF: a malicious page could send the forged activation request while an administrator is logged in, causing the server to activate or promote a user account without any additional authentication or confirmation.

Generated by OpenCVE AI on May 26, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Joomla! patch released for the 2026‑05‑05 advisory as soon as it becomes available.
  • Ensure CSRF token validation is enabled on the com_users activation endpoint or disable public activation entirely, so that only authenticated administrators can trigger activation actions.
  • Restrict access to the activation endpoint to authorized administrators only and use Joomla!’s built‑in session token checks to enforce request authenticity.

Generated by OpenCVE AI on May 26, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla!
Vendors & Products Joomla joomla!

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla
Joomla joomla\!
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.
Title Joomla! Core - [20260505] - CSRF in user activation endpoint
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-05-27T09:14:34.686Z

Reserved: 2026-04-01T19:23:13.196Z

Link: CVE-2026-35220

cve-icon Vulnrichment

Updated: 2026-05-26T18:09:26.143Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:35.680

Modified: 2026-05-27T13:18:02.893

Link: CVE-2026-35220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:51:24Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)