Description
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
Published: 2026-05-26
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability causes Joomla's password and username reset features to generate plain-HTTP links unless the Force SSL option is explicitly enabled. This downgrade allows an attacker who can observe or tamper with traffic to intercept or modify the reset links, potentially capturing reset tokens or user credentials. The defect results in exposure of sensitive data over an insecure channel.

Affected Systems

The affected product is Joomla! CMS under the Joomla! Project. Any installation that does not enable Force SSL for password and username reset functionality is considered vulnerable; no specific version numbers are listed in the advisory.

Risk and Exploitability

Because the reset links travel unencrypted, the risk is tied to any network segment where HTTP traffic could be monitored. It is inferred that an attacker could capture a reset token from the URL and use it to perform a credential reset, effectively taking over the user’s account. The EPSS score of < 1% indicates a low probability of exploitation in the wild, yet the CVSS score of 9.8 reflects a critical severity for those exposed to the attack vector. The vulnerability is not listed in CISA KEV.

Generated by OpenCVE AI on June 2, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Enable the Force SSL setting for password and username reset in Joomla! configuration to force HTTPS links.
  • Apply the latest Joomla! CMS update that addresses this issue; if no update is available, monitor Joomla! release notes for a fix.
  • Configure the web server to automatically redirect HTTP requests for reset URLs to the HTTPS scheme, preventing exposure of plain-HTTP links.

Generated by OpenCVE AI on June 2, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-319

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 28 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla\!
Weaknesses CWE-200
NVD-CWE-noinfo
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla joomla\!

Thu, 28 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-319
CWE-640

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla!
Vendors & Products Joomla
Joomla joomla!

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-319
CWE-640

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
Title Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset links
References

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-05T07:28:36.374Z

Reserved: 2026-05-26T10:06:17.656Z

Link: CVE-2026-48902

cve-icon Vulnrichment

Updated: 2026-05-28T13:23:27.192Z

cve-icon NVD

Status : Modified

Published: 2026-05-26T17:16:54.970

Modified: 2026-06-02T14:16:54.870

Link: CVE-2026-48902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T14:00:10Z

Weaknesses