High severityNVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2026-48897

Description

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Insufficient session state checks in Joomla CMS allow attackers to bypass two-factor authentication.

Vulnerability

In Joomla CMS versions 4.0.0 to 5.4.5 and 6.0.0 to 6.1.0, incorrect handling of session state resets allows attackers to bypass two-factor authentication (2FA). The vulnerability stems from insufficient state checks during the authentication process [1].

Exploitation

An attacker with valid user credentials can exploit the flawed session state management by manipulating session states, potentially through a crafted request, to skip the 2FA verification step [1].

Impact

Successful exploitation allows an attacker to authenticate as another user without completing the 2FA process, leading to unauthorized account access and potential data compromise [1].

Mitigation

Upgrade to Joomla CMS version 5.4.6 or 6.1.1, released on 2026-05-26 [1]. For affected versions (4.0.0-5.4.5 and 6.0.0-6.1.0), no workaround is available other than updating [1].

References

Joomla! Developer Network

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Joomla/Joomla!inferred

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

developer.joomla.org/security-centre/1044-20260512-core-mfa-authentication-bypass.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000