Description
An improper access check allows unauthorized access to com_config webservice endpoints.
Published: 2026-05-26
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper access check in the Joomla! core com_config webservice endpoints allows an attacker to bypass normal authentication and obtain unauthorized access to configuration settings. This flaw can enable the attacker to modify or retrieve sensitive configuration data, potentially leading to full control over the affected Joomla! installation. The weakness is rooted in inadequate authorization enforcement, classified as CWE‑284.

Affected Systems

The flaw affects the Joomla! CMS provided by the Joomla! Project. Specific affected release versions are not listed in the advisory; administrators should consult the vendor security notice to determine if their installation is vulnerable and to apply any available patch.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6, indicating a high impact level. Exploitation is likely feasible over the network via the exposed webservice endpoints, so the risk is high for publicly accessible sites. Since EPSS is below 1% and the flaw is not listed in the CISA KEV catalog, there is no current evidence of widespread exploitation, but the high CVSS score warrants immediate attention. The attack vector is inferred to be remote, utilizing HTTP requests to the vulnerable endpoints. The lack of detailed version information means the true scope could be broader than reported.

Generated by OpenCVE AI on May 28, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Joomla! security patch that resolves the com_config access check issue.
  • If a patch is not yet available, disable or restrict the com_config webservice endpoints on the server or limit them to trusted IP addresses using firewall or web‑application controls.
  • Configure the Joomla! installation to enforce strict authentication and authorization for all webservice endpoints, ensuring that only privileged users can access configuration data.

Generated by OpenCVE AI on May 28, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla\!
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla joomla\!
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla!
Vendors & Products Joomla
Joomla joomla!

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description An improper access check allows unauthorized access to com_config webservice endpoints.
Title Joomla! Core - [20260508] - Improper access check in com_config webservice endpoints
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-05-27T09:12:29.087Z

Reserved: 2026-04-01T19:23:13.196Z

Link: CVE-2026-35223

cve-icon Vulnrichment

Updated: 2026-05-26T17:37:59.161Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:36.080

Modified: 2026-05-28T19:07:39.223

Link: CVE-2026-35223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T21:15:27Z

Weaknesses