Description
An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.
Published: 2026-05-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper access control (CWE‑284) that permits a user with low privileges to change the task type of existing scheduler tasks in Joomla! CMS. By altering the task type, the attacker could modify the behavior of scheduled actions, potentially affecting site functionality or enabling further undesired operations if those tasks interact with sensitive data or processes.

Affected Systems

Any Joomla! CMS installation that includes the com_scheduler component is affected; no specific versions are identified in the CVE data.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. EPSS data is not available, so the precise likelihood of exploitation cannot be quantified. The flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated as a user with low privileges and to access the scheduler interface, making the attack vector remote through standard web authentication.

Generated by OpenCVE AI on May 26, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Joomla! CMS update that includes a fix for the scheduler access control flaw if one is available on the Joomla! Project website.
  • Configure Joomla! ACL to restrict editing of scheduler tasks to administrative or specifically designated roles, removing such permissions from lower-privilege users.
  • Audit user accounts with scheduler modification rights and adjust or delete permissions for accounts that should not have such access.

Generated by OpenCVE AI on May 26, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla!
Vendors & Products Joomla joomla!

Tue, 26 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla\!
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla
Joomla joomla\!
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 26 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.
Title Joomla! Core - [20260516] - Incorrect Access Control in com_scheduler
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-05-27T09:12:59.814Z

Reserved: 2026-05-26T10:06:17.656Z

Link: CVE-2026-48900

cve-icon Vulnrichment

Updated: 2026-05-26T17:39:15.850Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:54.740

Modified: 2026-05-26T20:56:25.237

Link: CVE-2026-48900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:04:28Z

Weaknesses