Access check flaw exposes Joomla webservice endpoints

1 min readPublished 01 Apr 2026Updated 01 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-23899 News Web Security PHP

TL;DR - Joomla webservice endpoints had an access check missing or wrong. Requests can reach API routes without the intended authorization. Patched in 5.4.4 and 6.0.4.

What happened

Joomla is a widely deployed PHP CMS.

CVE-2026-23899: improper access check in Joomla's webservice endpoints. Missing or incorrect authorization decision results in unauthorized access to webservice endpoints.

CVSS v4.0 base score 8.6 (High) with Privileges Required: High. Joomla's own advisory marks Probability: Low. Still meaningful - access-control regressions in API layers are a recurring source of data exposure and control-plane abuse, especially when webservice endpoints are internet-reachable.

Who is impacted

Joomla! CMS installations running affected versions:
- 4.0.0 through 5.4.3
- 6.0.0 through 6.0.3
Environments that have Joomla web services enabled/exposed, since the issue is specifically in webservice endpoints.

Component	Affected versions (per vendor advisory)	Patched versions (per vendor advisory)
`Joomla! CMS`	`4.0.0–5.4.3`, `6.0.0–6.0.3`	`5.4.4`, `6.0.4`

What to do now

Follow vendor remediation guidance and apply the available fixed releases.
- "Upgrade to version 5.4.4 or 6.0.4"
Inventory Joomla deployments (including container images and artifacts) and map them to the affected version ranges.
Review whether Joomla web services are enabled/exposed in production, and confirm that access controls for API/webservice routes match your intended authorization model.
If compromise or misuse is suspected, audit webservice/API access logs for unexpected callers, endpoint enumeration, and anomalous authorization patterns, then rotate credentials/tokens reachable by the impacted Joomla instance.