Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
CVE-2026-48904: Joomla com_users Group Editing Web Service Privilege Escalation
CVE-2026-48904
BIT-joomla-2026-48904
Summary
The Joomla com_users group editing web service endpoint does not properly check user permissions. This can allow an attacker to gain elevated privileges. To fix this, update to the latest Joomla version or apply the provided patch.
What to do
- Update joomla to version 6.1.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| – | joomla | joomla\! |
>= 4.0.0, < 5.4.6 >= 6.0.0, < 6.1.1 cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:* |
| Bitnami | – | joomla |
>= 6.0.0, < 6.1.1 Fix: upgrade to 6.1.1
|
Original title
Joomla! Core - [20260514] - Privilege escalation through com_users webservice endpoints
Original description
An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
nvd CVSS4.0
8.2
Vulnerability type
CWE-284
Improper Access Control
Published: 27 May 2026 · Updated: 27 May 2026 · First seen: 26 May 2026