PatchSiren cyber security CVE debrief
CVE-2026-35220 Joomla! Project CVE debrief
A Cross-Site Request Forgery (CSRF) vulnerability exists in the admin user activation endpoint of the Joomla com_users component. The flaw stems from missing CSRF token validation, allowing an attacker to trick an authenticated administrator into performing unintended user activation actions via a malicious web page or link. The CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring high privileges and user interaction, with low integrity impact on the victim component. The vulnerability was disclosed by the Joomla Security Strike Team and published to NVD on 2026-05-26. No known exploitation in ransomware campaigns has been reported. Administrators should apply Joomla security updates when available and ensure administrative sessions are protected with additional authentication factors.
- Vendor
- Joomla! Project
- Product
- Joomla! CMS
- CVSS
- MEDIUM 4.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Joomla site administrators, security teams managing Joomla deployments, and developers maintaining custom user management extensions
Technical summary
The com_users component in Joomla fails to validate CSRF tokens on the administrative user activation endpoint. An attacker can craft a malicious request that, when triggered by an authenticated administrator (e.g., via phishing or malicious site visit), performs user activation actions without the administrator's explicit intent. The attack requires the administrator to have an active session and interact with attacker-controlled content. Impact is limited to integrity violations within the user management scope.
Defensive priority
medium
Recommended defensive actions
- Apply security updates from Joomla when patches become available
- Review and restrict administrative access to trusted networks and MFA-protected accounts
- Monitor for unexpected user activation events in administrative audit logs
- Validate that custom extensions implementing user activation enforce CSRF protection
Evidence notes
Vendor identification derived from reference domain candidate 'Joomla' with low confidence; requires review. Official advisory link provided by [email protected] confirms Joomla as affected product.
Official resources
-
CVE-2026-35220 CVE record
CVE.org
-
CVE-2026-35220 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
2026-05-26