CVE-2026-48902
Modified Modified - Updated After Analysis
Password Reset Feature HTTP to HTTPS Downgrade in Joomla

Publication date: 2026-05-26

Last updated on: 2026-06-02

Assigner: Joomla! Project

Description
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-48902
EUVD
EUVD-2026-31878
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
joomla joomla! From 3.0.0 (inc) to 5.4.6 (exc)
joomla joomla! From 6.0.0 (inc) to 6.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability involves the generation of password and username reset links as plain HTTP instead of HTTPS when the "Force SSL" setting is not enabled, potentially exposing sensitive reset tokens during transmission.

Such exposure of sensitive information in transit could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data during transmission.

However, the vulnerability is classified as low severity and was fixed in Joomla! versions 5.4.6 and 6.1.1, with users advised to upgrade to mitigate the risk.

Executive Summary

CVE-2026-48902 is a low-severity vulnerability in Joomla! CMS versions 3.9.0 through 5.4.5 and 6.0.0 through 6.1.0. The vulnerability occurs because password and username reset links were generated as plain HTTP links instead of HTTPS links when the "Force SSL" setting was not explicitly enabled.

This means that the reset links, which contain sensitive tokens, could be transmitted without encryption, potentially exposing them to interception.

Impact Analysis

The vulnerability could expose sensitive reset tokens during transmission because the reset links are sent over unencrypted HTTP instead of HTTPS if the "Force SSL" flag is not set.

This exposure could allow attackers to intercept these tokens and potentially reset user passwords or usernames, leading to unauthorized account access.

However, the issue is classified as having low impact, severity, and exploit probability.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for password and username reset links that are transmitted over plain HTTP instead of HTTPS.

You can use network traffic analysis tools such as tcpdump or Wireshark to capture and inspect HTTP requests to identify if reset links are being sent without encryption.

  • Use tcpdump to capture HTTP traffic on port 80: tcpdump -i any tcp port 80 -A
  • Filter captured traffic for password or username reset URLs by searching for keywords like 'reset' or 'token' in the HTTP requests.
  • Alternatively, use curl or wget to manually test the reset link generation by triggering a password or username reset and observing if the returned link uses HTTP or HTTPS.
Mitigation Strategies

The immediate mitigation step is to upgrade Joomla! CMS to the fixed versions 5.4.6 or 6.1.1 or later, where this vulnerability has been addressed.

Additionally, ensure that the "Force SSL" setting is explicitly enabled to enforce HTTPS links for password and username reset features.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48902. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart