Two-Factor Authentication Bypass in Joomla Core
CVE-2026-48896

8.2HIGH

Key Information:

Vendor: Joomla
Status: Joomla! Cms
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-48896?

A vulnerability in the Joomla core allows attackers to bypass two-factor authentication (2FA) mechanisms due to insufficient state checks. This oversight can lead to unauthorized access, enabling malicious actors to exploit user accounts without necessary robust authentication measures. Users of Joomla 3.x and 4.x should take immediate action to mitigate risks associated with this vulnerability by updating their systems and implementing enhanced security protocols.

Affected Version(s)

Joomla! CMS 4.0.0-5.4.5

Joomla! CMS 6.0.0-6.1.0

References

https://developer.joomla.org/security-centre/1043-2026051...

vendor-advisory

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 26, 2026

Credit

Doyensec in collaboration with Claude and Anthropic Research

Christos Papakonstantinou, Cantina

CVE-2026-48896 Data

JSON