Cyber Posture

CVE-2026-21629

High

Published: 01 April 2026

Published
01 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0000 0.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21629 is a high-severity Improper Access Control (CWE-284) vulnerability in Joomla Joomla\!. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to system resources, directly preventing unauthorized access to administrative AJAX endpoints due to the missing logged-in-user check.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Identifies and explicitly authorizes specific actions performable without identification or authentication, addressing the unexpected exclusion of the AJAX component from login checks.

AC-6 Least Privilege partial match
prevent

Employs least privilege to restrict access to only necessary functions for authorized users, mitigating unauthorized invocation of administrative AJAX functionality.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct unauthenticated remote exploitation of improper access control in a public-facing web application (Joomla admin ajax component) to bypass authentication checks.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

Deeper analysisAI

CVE-2026-21629 is an improper access control vulnerability (CWE-284) in the Joomla CMS core, specifically affecting the ajax component in the administrative area. This component was excluded from the default logged-in-user check, a behavior that was potentially unexpected by third-party developers. The issue carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-04-01.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By bypassing the logged-in-user check, they may access certain administrative ajax endpoints, potentially leading to low-level impacts on confidentiality, integrity, and availability, depending on the specific ajax functionality invoked.

The official Joomla security advisory (https://developer.joomla.org/security-centre/1027-20260301-core-acl-hardening-in-com-ajax.html) addresses mitigation through core ACL hardening in the com_ajax component, recommending administrators apply the relevant Joomla updates to enforce proper access controls.

Details

CWE(s)
CWE-284

Affected Products

joomla
joomla\!
3.0.0 — 5.4.4 · 6.0.0 — 6.0.4

CVEs Like This One

CVE-2026-23899Same product: Joomla Joomla\!
CVE-2024-40749Same product: Joomla Joomla\!
CVE-2026-21630Same product: Joomla Joomla\!
CVE-2024-40748Same product: Joomla Joomla\!
CVE-2026-23898Same product: Joomla Joomla\!
CVE-2025-24411Same product class: CMS core
CVE-2026-21289Same product class: CMS core
CVE-2026-21309Same product class: CMS core
CVE-2024-8855Same product class: CMS core
CVE-2025-24409Same product class: CMS core

References