Joomla! CVE-2026-35223: Pre-Auth Unauthorized Access via com_config

Vulnerability Overview Vulnerability ID: [20260508] Project Name: Joomla! Subproject: CMS Impact Level: High Severity: Moderate Probability: Low Vulnerability Type: Incorrect Access Control Report Date: 2026-04-15 Fix Date: 2026-05-26 CVE ID: CVE-2026-35223 Affected Scope Affected Installation Versions: Joomla! CMS 4.0.0-5.4.5, 6.0.0-6.1.0 Remediation Solution: Upgrade to version 5.4.6.6.1.1 Description An incorrect access check allows unauthorized access to the webservice endpoint. Contact Information Contact Party: The JSSIT at the Joomla! Security Centre Reporter Reporter: Rishi Shaiya, Qi Deng Related Links Previous: [20260509] - Core - LFI in HTMLView layout parameter Next: [20260507] - Core - Authenticated blind SQLi in com_tags Additional Information Current Version: Joomla! CMS 5.5.x Known Issues: View known issues Development Status: View development status Download Nightly Build: Download nightly build Resources Development Strategy: View development strategy Product Strategy: View product strategy Planned Features: View planned features Security Announcements: View security announcements Report Security Issue: Report security issue Generative AI Policy: View generative AI policy Usage Statistics: View usage statistics Joomla! API Documentation: View Joomla! API documentation Coding Standards Manual: View coding standards manual Joomla! Code Archive: View Joomla! code archive Mailing Lists Developer Network Newsletter: Subscribe to developer network newsletter General Extensions Mailing List: Subscribe to general extensions mailing list CMS Mailing List: Subscribe to CMS mailing list Framework Mailing List: Subscribe to framework mailing list Documentation Mailing List: Subscribe to documentation mailing list Social Media Facebook: Follow Joomla! on Facebook X: Follow Joomla! on X Bluesky: Follow Joomla! on Bluesky Threads: Follow Joomla! on Threads YouTube: Follow Joomla! on YouTube LinkedIn: Follow Joomla! on LinkedIn Pinterest: Follow Joomla! on Pinterest Instagram: Follow Joomla! on Instagram GitHub: Follow Joomla! on GitHub Other Links Homepage: Return to homepage About: Learn more Community: Join the community Forum: Visit the forum Extensions: Browse extensions Services: View services User Guide: View user guide Developer: View developer resources Shop: Visit the shop Accessibility Statement: View accessibility statement Privacy Policy: View privacy policy Cookie Policy: View cookie policy Sponsor Joomla! with $5: Sponsor Joomla! Help Translate: Help translate Report Issue: Report issue Login: Login Copyright Information Copyright: © 2005 - 2026 Open Source Matters, Inc. All Rights Reserved. Advertisement Advertisement: An ad blocker has been detected. The Joomla! project relies on revenue from these ads, so please consider disabling your ad blocker for this domain. Other Joomla! Hosting by Rochen: Joomla! Hosting by Rochen Summary Vulnerability Overview: An incorrect access check allows unauthorized access to the webservice endpoint. Affected Scope: Joomla! CMS 4.0.0-5.4.5, 6.0.0-6.1.0 Remediation: Upgrade to version 5.4.6.6.1.1

Goal Reached Thanks to every supporter — we hit 100%!

Joomla! CVE-2026-35223: Pre-Auth Unauthorized Access via com_config