CVE-2026-48902

Vulnerability

Joomla! CMS versions 3.9.0 through 5.4.5 and 6.0.0 through 6.1.0 generate password and username reset links using plain HTTP instead of HTTPS when the "Force SSL" configuration flag is not explicitly enabled. This affects both the password and username reset features, regardless of whether the site itself is served over HTTPS.

Exploitation

An attacker with network access (e.g., on a shared Wi-Fi network or through a man-in-the-middle position) can intercept the plain HTTP reset link sent to the user. No authentication or user interaction beyond clicking the link is required by the attacker; the victim must trigger the reset flow and receive the link. The attacker simply observes or modifies the HTTP traffic.

Impact

Successful exploitation allows the attacker to read the reset token from the plain HTTP request. With the token, the attacker can reset the victim’s password or username, gaining unauthorized access to the victim's Joomla! account. The confidentiality and integrity of the account are compromised, with potential for privilege escalation depending on the victim's role.

Mitigation

Upgrade to Joomla! CMS version 5.4.6 (for 3.x/5.x branches) or 6.1.1 (for 6.x branch), as fixed on 2026-05-26 [1]. Administrators can also enable the "Force SSL" flag in Global Configuration to enforce HTTPS for all sensitive operations as a workaround. No evidence of exploitation in the wild was reported as of publication.