Medium severityNVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2026-35220

Description

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CSRF token validation is missing in Joomla's admin user activation endpoint, enabling cross-site request forgery attacks.

Vulnerability

A missing CSRF token validation in the admin activation endpoint of com_users component creates a CSRF attack vector in Joomla! CMS versions 6.0.0 through 6.1.0. The lack of a token check allows an attacker to forge requests that appear to come from an authenticated administrator.

Exploitation

An attacker must trick an authenticated administrator into visiting a malicious page or clicking a crafted link while logged into the Joomla backend. The attacker constructs a request that targets the activation endpoint, and no authentication token is verified on the server side.

Impact

A successful CSRF attack can force an unintended user activation, leading to unauthorized administrator-level actions. This can compromise the confidentiality, integrity, and availability of the Joomla site.

Mitigation

Upgrade to Joomla! CMS version 6.1.1, released on 2026-05-26 [1]. No workaround is available for older versions; the fixed version is the only remedy.

References

Joomla! Developer Network

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Joomla/Joomla!inferred
Joomla/com_usersllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

developer.joomla.org/security-centre/1037-20260505-core-csrf-in-user-activation-endpointnvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000