An improper access check in Joomla's com_users batch task allows unauthenticated attackers to escalate privileges over the network, rated CVSS 9.8 Critical.
What Is It
CVE-2026-48898 is a privilege escalation vulnerability in Joomla! core caused by an improper access check (CWE-284) within the com_users batch task. According to the Joomla security advisory, the flaw permits privilege escalation through this component. NVD scores it 9.8 Critical (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting that the issue is reachable over the network with low complexity and requires no privileges or user interaction. The vendor's own CVSS 4.0 assessment scores it 8.2 High, with integrity impact rated High and confidentiality/availability impact rated None.
Why It Matters
Joomla is one of the most widely deployed open-source CMS platforms, and com_users is core functionality, not an optional extension. Because the access check failure is in a batch task path, an attacker can manipulate user records without authenticating, gaining elevated privileges in the target instance. With a 9.8 Critical NVD score and no prerequisite credentials or user interaction, exposed Joomla sites are at immediate risk of takeover via account privilege manipulation.
Note: CVE-2026-48898 is not listed in the CISA KEV catalog at this time, so active exploitation has not been confirmed by CISA.
What's Vulnerable
Per the NVD CPE configuration, the following Joomla! versions are affected:
- Joomla! 4.0.0 through versions before 5.4.6
- Joomla! 6.0.0 through versions before 6.1.1
The weakness is classified as CWE-284 (Improper Access Control) by the Joomla security team.
Patch Status
Joomla has published a security advisory (1045-20260513) addressing this issue. Based on the affected version ranges in NVD, administrators should upgrade to:
- Joomla! 5.4.6 or later (for 4.x/5.x branches)
- Joomla! 6.1.1 or later (for 6.x branch)
Operators of any Joomla! site in the affected ranges should patch immediately given the unauthenticated network-reachable nature of the flaw.