Listen to this Post
The vulnerability resides in the Scheduler Task Handler within the Joomla CMS backend. It stems from an improper access check on the functionality that allows users to edit the task types of existing scheduler tasks. The flaw permits low-privileged users (e.g., an authenticated user with limited permissions) to modify the task type of any scheduled task. The attack path is remote and straightforward: the attacker, having basic authenticated access, sends a crafted request to the vulnerable endpoint, changing the task type without proper authorization. The manipulation leads to unauthorized modification (integrity impact) of scheduler configurations, but no confidentiality or availability impact. The attack complexity is low, requires low privileges, and no user interaction, as per the CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.
DailyCVE Form
Platform: Joomla CMS
Version: 4.1.0-5.4.5,6.0.0-6.1.0
Vulnerability : Improper Access Control
Severity: Medium (CVSS 4.3)
Date: 2026-05-26
Prediction: Patch expected 2026-05-26
Analytics under What Undercode Say:
Check Joomla version from CLI (if accessible) php /path/to/joomla/cli/joomla.php --version Alternatively, check version from file grep -E '^\$version\s=' /path/to/joomla/libraries/src/Version.php Search for vulnerable endpoints in logs grep -E 'POST /administrator/index.php\?option=com_scheduler' /var/log/apache2/access.log Count attempts to modify task types grep -c 'task=task.edit' /var/log/joomla/scheduler.log
Exploit:
No known public exploit exists. Proof-of-concept (manual): authenticate as a low-privilege user (e.g., ‘Manager’), navigate to administrator/index.php?option=com_scheduler, intercept the request when editing a task’s type, and change the `task_type` parameter to a disallowed value (e.g., shell_exec). The lack of proper ACL check allows the modification to be saved.
Protection from this CVE
Update to patched versions (5.4.6+ or 6.1.1+)
For Joomla 5.x:
cd /path/to/joomla
php administrator/components/com_joomlaupdate/update.php --version=5.4.6
For Joomla 6.x:
php administrator/components/com_joomlaupdate/update.php --version=6.1.1
Alternatively, apply hotfix: add explicit ACL check in
/administrator/components/com_scheduler/src/Controller/TaskController.php
Around line 120, enforce:
if (!$this->getCurrentUser()->authorise('core.edit', 'com_scheduler.task')) {
throw new \Exception(JText::_('JLIB_APPLICATION_ERROR_EDIT_NOT_PERMITTED'), 403);
}
Impact:
- Integrity : Low-privileged users can alter scheduler task types, leading to disruption of automated workflows (e.g., changing a backup task to a cleanup task).
- Privilege Escalation : Indirectly, by modifying a task to run a privileged operation, an attacker could force execution with elevated context.
- Availability : None (the vulnerability does not cause system downtime).
- Compliance : May violate security standards requiring strict separation of duties (e.g., PCI DSS 7.2.1).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

