CVE-2026-21629 MEDIUM

CVE-2026-21629: Joomla! Core - [20260301] - ACL hardening in com_ajax

Vendor Joomla! Project
Product Joomla! CMS
Weakness CWE-284
Published April 1, 2026
Last update April 1, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

Explanation of Vulnerability in Simple Terms

02Summary

Joomla! CMS versions 3.0.0 through 5.4.3 contain an access control flaw that allows attackers to bypass permission checks. An attacker with network access but no authentication can trigger the vulnerability to gain unauthorized access to restricted functionality or data. Site administrators should update to a version newer than 5.4.3 as soon as a patch is available.

What an attacker can do

03Attacker Capabilities

Bypass access controls to reach restricted functionality or data without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users may access restricted areas, user data, or administrative functions depending on the specific flaw.

Conditions required to exploit

05Prerequisites

Network access; no authentication required. Attacker interaction with the site is needed to trigger the flaw.

Key dates

06Disclosure timeline

April 1, 2026 CVE published
April 1, 2026 Record updated

Related vulnerabilities

08Related CVE