PatchSiren cyber security CVE debrief
CVE-2026-35223 Joomla! Project CVE debrief
An improper access control vulnerability in Joomla's com_config webservice endpoints allows unauthorized access to configuration management functions. The vulnerability stems from insufficient authorization checks on webservice API endpoints, enabling authenticated users with elevated privileges to bypass intended access controls. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no user interaction required, and high impact across confidentiality, integrity, and availability dimensions. The vulnerability was disclosed by the Joomla Security Strike Team and is currently undergoing analysis by NVD.
- Vendor
- Joomla! Project
- Product
- Joomla! CMS
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Joomla site administrators, security operations teams managing Joomla deployments, web application security assessors, and organizations using Joomla's webservice API for configuration management.
Technical summary
The com_config component in Joomla provides webservice endpoints for configuration management. An improper access check vulnerability allows authenticated users to access these endpoints without proper authorization validation. The vulnerability affects the REST API implementation where privilege escalation or unauthorized access to site configuration parameters may occur. Attack vector is network-based with low complexity, requiring high privileges (PR:H) but no user interaction.
Defensive priority
HIGH
Recommended defensive actions
- Review Joomla security advisory for affected versions and patch availability
- Audit com_config webservice endpoint access logs for unauthorized configuration changes
- Apply Joomla security updates when released by vendor
- Implement additional authentication controls for administrative webservice endpoints
- Monitor for anomalous API calls to /api/index.php/v1/config endpoints
Evidence notes
Vendor evidence from Joomla security advisory confirms improper access check in com_config webservice endpoints. CVSS 4.0 score of 8.6 reflects high severity with network accessibility and high impact potential. CWE-284 (Improper Access Control) classified as primary weakness.
Official resources
-
CVE-2026-35223 CVE record
CVE.org
-
CVE-2026-35223 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Disclosed by Joomla Security Strike Team on 2026-05-08 via security advisory; CVE published 2026-05-26.