Description
An improper access check allows privilege escalation through the com_users batch task.
Published: 2026-05-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from an improper access control in the com_users batch task of Joomla! CMS. The flaw permits privilege escalation, allowing an attacker to execute functions normally reserved for administrators. The missing authorization check, identified as CWE-284, can grant unauthorized users elevated privileges across the site. Based on the description, it is inferred that the attacker may need to be authenticated or exploit a misconfiguration to invoke the batch task, although the advisory does not detail explicit authentication prerequisites.

Affected Systems

Joomla! CMS as distributed by the Joomla! Project is affected, specifically the sample data plugins that rely on the com_users batch task. No specific version information is available in the advisory, so all installations that include these plugins should be considered potentially vulnerable. Based on the description, it is inferred that the issue applies to any Joomla! CMS deployment that includes the sample data plugins, regardless of the core version.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available, implying no known active exploitation yet no definitive evidence of exploitation. The flaw can be exploited via a web-based attack that targets the com_users batch task. Based on the description, it is inferred that exploitation would likely require an authenticated user context or that a misconfigured environment could enable unauthenticated access. The risk remains moderate until a vendor fix is applied, and the issue is not listed in CISA KEV.

Generated by OpenCVE AI on May 26, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Joomla! CMS release that includes the fix for the com_users batch task.
  • Disable or remove the sample data plugins that depend on the com_users batch task if they are unnecessary for your deployment.
  • Restrict or block the com_users batch task to administrators only, ensuring no non‑admin users can trigger it.

Generated by OpenCVE AI on May 26, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla!
Vendors & Products Joomla joomla!

Tue, 26 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla\!
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla
Joomla joomla\!
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description An improper access check allows privilege escalation through the com_users batch task.
Title Joomla! Core - [20260515] - Incorrect Access Control in sample data plugins
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-05-27T09:13:16.497Z

Reserved: 2026-05-26T10:06:17.656Z

Link: CVE-2026-48899

cve-icon Vulnrichment

Updated: 2026-05-26T17:41:00.315Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:54.587

Modified: 2026-05-26T20:59:03.803

Link: CVE-2026-48899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:04:27Z

Weaknesses