Description
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
Published: 2026-05-26
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient state checks, enabling an attacker to bypass 2‑factor authentication during the login process. An attacker who can submit a valid username and password can skip the second verification step, thereby gaining the same level of access as the legitimate user. This compromise affects the confidentiality, integrity, and availability of the affected system by permitting unauthorized use of privileged accounts and potential further exploitation.

Affected Systems

Vendors and product affected: Joomla! Project – Joomla! CMS. No specific affected version information is provided in the data, so any installation that could lack the fix from the referenced advisory may be vulnerable.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. EPSS is not available, so the current likelihood of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote via the web interface, where an attacker can exploit the login page to omit the second authentication factor. The lack of a listed KEV entry suggests no confirmed exploits yet, but the high severity calls for prompt remediation.

Generated by OpenCVE AI on May 26, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Joomla security update referenced in the advisory to patch the MFA bypass flaw
  • Ensure that all user accounts have MFA enabled and verify that the login flow now requires the second factor
  • Monitor authentication logs for anomalous login attempts that might indicate attempted bypasses

Generated by OpenCVE AI on May 26, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla joomla\!
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla!
Vendors & Products Joomla
Joomla joomla!

Tue, 26 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Insufficient state checks lead to a vector that allows to bypass 2FA checks.
Title Joomla! Core - [20260512] - MFA Authentication Bypass
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-05-27T09:14:05.696Z

Reserved: 2026-05-26T10:06:17.656Z

Link: CVE-2026-48897

cve-icon Vulnrichment

Updated: 2026-05-26T19:19:22.782Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:54.333

Modified: 2026-05-28T19:40:01.440

Link: CVE-2026-48897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:04:22Z

Weaknesses