critical

CVE

CVE-2026-48898, CVE-2026-48904

CWE

CWE-284

Affected Surface

Joomla CMS 4.0.0 through 5.4.5, Joomla CMS 6.0.0 through 6.1.0, Joomla com_users batch task, Joomla com_users group-editing webservice endpoint

Joomla published 5.4.6 and 6.1.1 on 26 May with a cluster of security fixes. The highest-risk items for application owners are two com_users privilege-escalation vulnerabilities: CVE-2026-48898 in the user batch task and CVE-2026-48904 in the user-group webservice endpoint.

Both advisories affect Joomla CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. The fixed versions are 5.4.6 and 6.1.1.

The vulnerable authority boundary

The common failure is an access check around user and group mutation. In Joomla deployments, com_users is security-critical because it controls account state, group membership, and permission-bearing relationships. Any flaw that lets an attacker invoke com_users mutation outside the intended authorization boundary can become a site takeover path.

CVE-2026-48898 is the batch-task issue:

com_users batch task -> improper access check -> privilege escalation

Batch operations are especially sensitive because they apply one requested operation across selected users. If the task accepts a user or group transition that the caller should not be allowed to perform, the exploit does not need code execution to be dangerous; it can directly alter authorization state.

CVE-2026-48904 is the webservice issue:

com_users group-editing webservice endpoint -> improper access check -> privilege escalation

The webservice route deserves separate inventory because API exposure is often different from administrator UI exposure. A site may firewall /administrator more tightly than API routes, or it may issue API tokens to automation users with narrower intended privileges. Security teams should verify both surfaces independently.

Why the CVSS looks worse than the vendor probability

Joomla rates probability as low for both privilege-escalation advisories, but NVD’s initial enrichment scores both as critical under CVSS v3.1. That difference is normal for access-control bugs when exploitation depends on product-specific workflow details that are not fully disclosed publicly.

For defenders, the safe interpretation is:

  • The bug class is serious because it affects account and group authority.
  • The vulnerable project and version ranges are clear.
  • Public advisories intentionally do not provide exploit details.
  • Patch priority should be based on internet/API exposure and the sensitivity of accounts managed in Joomla.

The same Joomla security-center page also lists other 26 May fixes, including two-factor authentication bypass issues, scheduler task access-control issues, and HTML filtering XSS flaws. Those are separate CVEs, but they reinforce the same operational conclusion: 5.4.6 and 6.1.1 should be treated as security releases, not routine maintenance updates.

Remediation

Upgrade Joomla CMS to 5.4.6 or 6.1.1. If extensions or compatibility constraints prevent an immediate major/minor move, prioritize the fixed release within the currently supported line:

  • Joomla 5.x sites should move to 5.4.6 or later.
  • Joomla 6.x sites should move to 6.1.1 or later.

After patching, review logs for suspicious com_users activity before the upgrade window:

  • Bulk or batch user operations.
  • Group membership changes that do not match approved administration.
  • API requests to user or group webservice endpoints.
  • New administrator-equivalent accounts, API tokens, or permission-bearing groups.

If suspicious changes exist, revert unauthorized account and group mutations, rotate affected API tokens, and audit extension-level permissions that may have inherited new privileges from compromised Joomla groups.

References