CVE-2026-48902
Password Reset Feature HTTP to HTTPS Downgrade in Joomla
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: Joomla! Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joomla | joomla_cms | From 3.9.0 (inc) to 5.4.5 (inc) |
| joomla | joomla_cms | From 6.0.0 (inc) to 6.1.0 (inc) |
| joomla | joomla_cms | 5.4.6 |
| joomla | joomla_cms | 6.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48902 is a low-severity vulnerability in Joomla! CMS versions 3.9.0 through 5.4.5 and 6.0.0 through 6.1.0. The vulnerability occurs because password and username reset links were generated as plain HTTP links instead of HTTPS links when the "Force SSL" setting was not explicitly enabled.
This means that the reset links, which contain sensitive tokens, could be transmitted without encryption, potentially exposing them to interception.
How can this vulnerability impact me? :
The vulnerability could expose sensitive reset tokens during transmission because the reset links are sent over unencrypted HTTP instead of HTTPS if the "Force SSL" flag is not set.
This exposure could allow attackers to intercept these tokens and potentially reset user passwords or usernames, leading to unauthorized account access.
However, the issue is classified as having low impact, severity, and exploit probability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for password and username reset links that are transmitted over plain HTTP instead of HTTPS.
You can use network traffic analysis tools such as tcpdump or Wireshark to capture and inspect HTTP requests to identify if reset links are being sent without encryption.
- Use tcpdump to capture HTTP traffic on port 80: tcpdump -i any tcp port 80 -A
- Filter captured traffic for password or username reset URLs by searching for keywords like 'reset' or 'token' in the HTTP requests.
- Alternatively, use curl or wget to manually test the reset link generation by triggering a password or username reset and observing if the returned link uses HTTP or HTTPS.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Joomla! CMS to the fixed versions 5.4.6 or 6.1.1 or later, where this vulnerability has been addressed.
Additionally, ensure that the "Force SSL" setting is explicitly enabled to enforce HTTPS links for password and username reset features.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability involves the generation of password and username reset links as plain HTTP instead of HTTPS when the "Force SSL" setting is not enabled, potentially exposing sensitive reset tokens during transmission.
Such exposure of sensitive information in transit could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data during transmission.
However, the vulnerability is classified as low severity and was fixed in Joomla! versions 5.4.6 and 6.1.1, with users advised to upgrade to mitigate the risk.