CVE-2026-48958 MEDIUM

CVE-2026-48958: Joomla! Core - [20260712] - Incorrect Access Control in com_fields webservice endpoints

Vendor Joomla! Project
Product Joomla! CMS
Weakness CWE-284
Published July 7, 2026
Last update July 8, 2026

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

An improper access check allows unauthorized users to create custom fields via webservices endpoints.

Explanation of Vulnerability in Simple Terms

02Summary

Joomla! CMS versions 4.0.0 through 5.4.6 contain an access control flaw that allows high-privileged users to modify site integrity and availability settings they should not have access to. The vulnerability requires an authenticated administrator account and does not expose confidential data. Site owners should update to a version newer than 5.4.6 when available.

What an attacker can do

03Attacker Capabilities

A high-privileged user can modify site integrity and availability settings beyond their authorized scope.

Potential impact on your site

04Site Impact

Unauthorized configuration changes by rogue admins could degrade site stability or modify critical settings.

Conditions required to exploit

05Prerequisites

Attacker must have high-level administrator privileges and network access to the Joomla admin panel.

Key dates

06Disclosure timeline

July 7, 2026 CVE published
July 8, 2026 Record updated

Related vulnerabilities

08Related CVE