High

Improper access check in Joomla! webservice configuration endpoint

IdentifiersCVE-2026-23899CWE-284· Improper Access Control

CVE-2026-23899 is an improper access control issue in Joomla! webservice endpoints, specifically described in the provided content as affecting access to the configuration API endpoint at /api/index.php/v1/config/application. The flaw allows a requester presenting a valid Joomla! API token to access functionality that should be restricted, regardless of the token holder's effective privilege level. Using an HTTP GET request with the X-Joomla-Token header, an attacker can retrieve the application's full global configuration as a JSON object. Exposed values may include database connection parameters, application secrets, and SMTP credentials. The same endpoint also accepts HTTP PATCH requests, allowing unauthorized modification of security-relevant configuration values such as upload-related settings and session lifetimes. The issue is therefore not merely information disclosure; it also enables unauthorized configuration tampering that can be leveraged for further compromise, including paths to code execution or durable administrative control.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in full disclosure of Joomla!'s global configuration, including high-value secrets such as database credentials, application secret material, and SMTP passwords. Those secrets may enable direct compromise of backend services outside the web application itself, including database infrastructure and mail relays. In addition, unauthorized PATCH access to the configuration endpoint allows attackers to alter security-sensitive settings, weakening application defenses and enabling secondary attack chains. According to the provided content, configuration modification can provide a reliable path to arbitrary code execution or persistent administrative access. Overall impact is high across confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

Until vendor fixes are fully deployed, restrict or disable exposure of Joomla! webservice/API endpoints where operationally feasible, especially /api/index.php/v1/config/application. Limit API access through network controls, reverse-proxy ACLs, or IP allowlisting. Revoke and reissue Joomla! API tokens, particularly for low-privileged or potentially compromised accounts, and monitor for GET or PATCH requests to the affected endpoint. Review logs for use of the X-Joomla-Token header against configuration endpoints, inspect application settings for unauthorized modification, and rotate backend credentials and secrets if exposure is suspected. Minimizing token issuance and disabling unnecessary API functionality will reduce attack surface.

Remediation

Patch, then assume compromise.

Apply the Joomla! security update referenced in the vendor advisory for CVE-2026-23899. Because the flaw is caused by an improper access check on webservice endpoints, remediation should ensure that access to /api/index.php/v1/config/application and similar administrative API functionality is restricted to appropriately privileged principals only, with server-side authorization enforced independently of mere token validity. After patching, rotate any credentials or secrets that may have been exposed through the configuration endpoint, including database passwords, SMTP credentials, API tokens, and application secrets, and review configuration settings for unauthorized changes.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

JoomlaJoomla!application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cvefeed high severityNews

Apr 1, 2026

CVE-2026-23899 - Joomla! Core - [20260306] - Improper access check in webservice endpoints

An improper access check vulnerability in Joomla core that allows unauthorized access to webservice endpoints.

cvereportsNews

Apr 1, 2026

CVE-2026-23899: CVE-2026-23899: Improper Access Check in Joomla! com_config Webservices | CVEReports

A Joomla! API vulnerability that allows an attacker with any valid Joomla! API token to read the application's global configuration and potentially modify it, exposing sensitive credentials and enabling follow-on arbitrary code execution or persistent administrative access.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2