A critical improper access control flaw in Joomla!'s com_users group editing webservice endpoint allows unauthenticated attackers to escalate privileges over the network, scoring 9.8 on CVSS 3.1.
What Is It
CVE-2026-48904 is an improper access check (CWE-284) in Joomla!'s core. The com_users group editing webservice endpoint fails to properly enforce authorization, allowing privilege escalation. The flaw is exploitable over the network with low attack complexity, requires no privileges, and needs no user interaction.
NVD assigns a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Joomla's own CVSS 4.0 secondary scoring rates it 8.2 (HIGH) with integrity impact rated HIGH and confidentiality/availability scored NONE, reflecting that the primary risk is unauthorized modification of user/group state rather than data theft or outage.
Why It Matters
Joomla! powers a substantial share of the public web, and com_users is the component that governs accounts and group membership. An unauthenticated attacker reaching the vulnerable webservice endpoint can manipulate group assignments; the standard path to gaining administrative access on a CMS. From there, an attacker can typically install extensions, write template files, and pivot to full site compromise.
The CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog, so there is no government-confirmed active exploitation at this time. However, the combination of network-reachable attack surface, no authentication requirement, and a clear privilege-escalation impact makes this an attractive target for opportunistic scanning.
What's Vulnerable
Per NVD's CPE configuration, the following Joomla! Core branches are affected:
- 4.0.0 ≤ version < 5.4.6
- 6.0.0 ≤ version < 6.1.1
The flaw lives in the com_users group editing webservices endpoint exposed by Joomla!'s API application.
Patch Status
Joomla! has published a security advisory and shipped fixed releases. Administrators should upgrade immediately:
- Sites on the 4.x/5.x branch: update to 5.4.6 or later
- Sites on the 6.x branch: update to 6.1.1 or later
Until patched, restrict access to the Joomla! API/webservices endpoints at the web server or WAF layer.