CVE-2026-35220
CSRF Vulnerability in Joomla com_users Admin Activation
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: Joomla! Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joomla | cms | From 6.0.0 (inc) to 6.1.0 (inc) |
| joomla | cms | 6.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35220 is a Cross-Site Request Forgery (CSRF) vulnerability in Joomla! CMS versions 6.0.0 to 6.1.0. It occurs because the admin activation endpoint of the com_users component does not validate CSRF tokens. This lack of validation allows attackers to trick authenticated administrators into performing unauthorized actions by sending crafted requests.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unauthorized actions on the Joomla! CMS admin activation endpoint without the administrator's consent. Such actions could include activating user accounts or other administrative functions, potentially compromising the integrity and security of the website.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-35220 vulnerability, users should upgrade Joomla! CMS to version 6.1.1 or later, where the issue with missing CSRF token validation in the admin activation endpoint of the com_users component has been fixed.