The Joomla! Project has issued an emergency release pushing out updates for Joomla 6.1.2 and Joomla 5.4.7. This security and bugfix release addresses critical access control vulnerabilities buried within the core framework architecture that put sites at immediate risk of administrative takeovers.
Because these patches resolve fundamental security issues in the core engine rather than a third-party extension, every administrator running a Joomla 5.x or 6.x site needs to apply this update immediately.
The Core Threat: API Privilege Escalation (CVE-2026-48904)
The most dangerous issue fixed in this release resides directly in the REST API webservice endpoint for user management (specifically the com_users component handler). Security audits discovered an improper validation check on incoming group editing operations via web requests.
Due to this broken access control, unauthenticated remote actors can send structured HTTP POST or PATCH requests directly to the Joomla API path (/api/index.php). The server will then process user-group changes without validating if the sender possesses active backend administrator rights. This allows an external attacker to seamlessly elevate a standard user account—or a guest session—directly into the Super User group, granting full administrative ownership of the site without a password.
How to Protect Your Sites Immediately
1. Update the Core Engine: Log into your Joomla control panel, navigate to the Update Manager, and pull down the 6.1.2 or 5.4.7 upgrade package immediately. If you manage multiple properties, prioritize this update over all plugin maintenance cycles.
2. Temporary API Workaround: If you cannot update the site core immediately, log into your administration panel, navigate to your plugin list, find the "Web Services - Users" plugin, and temporarily disable it. This closes the specific API entry point used by attackers.
3. Database Audit: Check your user database tables (specifically #__user_usergroup_map) for any unexpected additions to the Administrator or Super User groups that do not align with your official site audit logs.

Comments