Joomla CMS, Improper Access Control, CVE-2026-48900 (Medium)

Listen to this Post

The vulnerability resides in the Scheduler Task Handler within the Joomla CMS backend. It stems from an improper access check on the functionality that allows users to edit the task types of existing scheduler tasks. The flaw permits low-privileged users (e.g., an authenticated user with limited permissions) to modify the task type of any scheduled task. The attack path is remote and straightforward: the attacker, having basic authenticated access, sends a crafted request to the vulnerable endpoint, changing the task type without proper authorization. The manipulation leads to unauthorized modification (integrity impact) of scheduler configurations, but no confidentiality or availability impact. The attack complexity is low, requires low privileges, and no user interaction, as per the CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

DailyCVE Form

Platform: Joomla CMS
Version: 4.1.0-5.4.5,6.0.0-6.1.0
Vulnerability : Improper Access Control
Severity: Medium (CVSS 4.3)
Date: 2026-05-26

Prediction: Patch expected 2026-05-26

Analytics under What Undercode Say:

Check Joomla version from CLI (if accessible)
php /path/to/joomla/cli/joomla.php --version
Alternatively, check version from file
grep -E '^\$version\s=' /path/to/joomla/libraries/src/Version.php
Search for vulnerable endpoints in logs
grep -E 'POST /administrator/index.php\?option=com_scheduler' /var/log/apache2/access.log
Count attempts to modify task types
grep -c 'task=task.edit' /var/log/joomla/scheduler.log

Exploit:

No known public exploit exists. Proof-of-concept (manual): authenticate as a low-privilege user (e.g., ‘Manager’), navigate to administrator/index.php?option=com_scheduler, intercept the request when editing a task’s type, and change the `task_type` parameter to a disallowed value (e.g., shell_exec). The lack of proper ACL check allows the modification to be saved.

Protection from this CVE

Update to patched versions (5.4.6+ or 6.1.1+)
For Joomla 5.x:
cd /path/to/joomla
php administrator/components/com_joomlaupdate/update.php --version=5.4.6
For Joomla 6.x:
php administrator/components/com_joomlaupdate/update.php --version=6.1.1
Alternatively, apply hotfix: add explicit ACL check in
/administrator/components/com_scheduler/src/Controller/TaskController.php
Around line 120, enforce:
if (!$this->getCurrentUser()->authorise('core.edit', 'com_scheduler.task')) {
throw new \Exception(JText::_('JLIB_APPLICATION_ERROR_EDIT_NOT_PERMITTED'), 403);
}

Impact:

  • Integrity : Low-privileged users can alter scheduler task types, leading to disruption of automated workflows (e.g., changing a backup task to a cleanup task).
  • Privilege Escalation : Indirectly, by modifying a task to run a privileged operation, an attacker could force execution with elevated context.
  • Availability : None (the vulnerability does not cause system downtime).
  • Compliance : May violate security standards requiring strict separation of duties (e.g., PCI DSS 7.2.1).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top