CVE-2026-21629
Access Control Bypass in Joomla Ajax Component for Admin Area
Publication date: 2026-04-01
Last updated on: 2026-04-09
Assigner: Joomla! Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joomla | joomla! | From 3.0.0 (inc) to 5.4.4 (exc) |
| joomla | joomla! | From 6.0.0 (inc) to 6.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21629 is an access control vulnerability in the Joomla! CMS core component called com_ajax. The ajax component was excluded from the default logged-in-user access check within the administrative area, which was potentially unexpected behavior for third-party developers.
This means that certain access restrictions that normally apply to logged-in users in the admin area did not apply to the ajax component, potentially allowing unauthorized access or actions.
How can this vulnerability impact me? :
This vulnerability could allow unauthorized users or third-party developers to access or interact with the ajax component in the Joomla! administrative area without proper authentication.
Such unauthorized access might lead to unintended actions or exposure of administrative functions, potentially compromising the security or integrity of the Joomla! CMS installation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability concerns an access control issue in the Joomla! CMS core component com_ajax, where the ajax component was excluded from the default logged-in-user access check in the administrative area.
The provided resources do not include specific detection methods or commands to identify exploitation or presence of this vulnerability on a network or system.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade Joomla! CMS to version 5.4.4 or 6.0.4, where the issue has been fixed.
This upgrade addresses the incorrect access control vulnerability in the com_ajax component and restores the expected logged-in-user access checks in the administrative area.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.