CVE-2026-23899
Received Received - Intake
Improper Access Control in Joomla Webservice Enables Unauthorized Access

Publication date: 2026-04-01

Last updated on: 2026-04-09

Assigner: Joomla! Project

Description
An improper access check allows unauthorized access to webservice endpoints.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23899
EUVD
EUVD-2026-17863
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
joomla joomla! From 3.0.0 (inc) to 5.4.4 (exc)
joomla joomla! From 6.0.0 (inc) to 6.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23899 is a high-severity security vulnerability in Joomla! CMS versions 4.0.0 through 5.4.3 and 6.0.0 through 6.0.3. It involves an improper access check in the webservice endpoints, which means that the access control mechanisms are incorrectly implemented. As a result, unauthorized users can gain access to these webservice endpoints that they should not be able to access.

Impact Analysis

This vulnerability can allow unauthorized users to access webservice endpoints in Joomla! CMS, potentially exposing sensitive data or functionality that should be restricted. Such unauthorized access can lead to data breaches, manipulation of data, or disruption of services depending on what the webservice endpoints control.

Detection Guidance

This vulnerability involves improper access checks on Joomla! webservice endpoints allowing unauthorized access. Detection would involve checking if your Joomla! installation is within the affected versions (4.0.0 through 5.4.3 and 6.0.0 through 6.0.3) and testing access to webservice endpoints without proper authorization.

Specific commands or automated detection scripts are not provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade your Joomla! installations to version 5.4.4 or 6.0.4, where the improper access check issue has been fixed.

Contact the Joomla! Security Centre (JSST) for further guidance if needed.

Compliance Impact

The vulnerability allows unauthorized access to webservice endpoints due to improper access checks. Such unauthorized access can lead to exposure or compromise of sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal and health information.

Failure to properly restrict access could result in violations of these standards, potentially leading to legal and financial consequences for organizations using affected Joomla! versions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23899. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart