- Products & ServicesProducts & Services
- SolutionsSolutions
- PricingPricing
- CompanyCompany
- ResourcesResources
en
SQL Injection and Improper Access Control in Joomla’s REST API
vnth4nhnt
Reading Time: 4 minutes
Read this content in Vietnamese (Tiếng Việt)
Introduction
Joomla CMS is one of the most popular open-source CMS (content management systems), powering millions of websites worldwide. Since version 4.0, Joomla has included a native REST API layer that allows external applications – headless frontends, mobile backends, and third-party integrations – to interact directly with the system’s data without going through the administrator interface.
This REST API shares the same MVC foundation as the administrator interface but is built with its own controllers, dispatchers, and authorization mechanisms. That separation can easily lead to asymmetric protection: the same resource is tightly controlled in the administrator interface but left unguarded in the API layer. Both vulnerabilities discovered by CyStack are manifestations of this pattern.
Summary
While researching the Joomla CMS REST API, CyStack identified two independent vulnerabilities in its webservice endpoints. Both were reported to the Joomla Security Strike Team and fixed in Joomla 5.4.4 and 6.0.4, released on March 31, 2026.
| CVE | Type | Scope | Affected versions | Fixed version | CVSS Score |
|---|---|---|---|---|---|
| CVE-2026-21630 | SQL Injection (CWE-89) | com_content articles endpoint |
4.0.0–5.4.3, 6.0.0–6.0.3 | 5.4.4, 6.0.4 | 8.8 – HIGH |
| CVE-2026-23899 | Improper Access Control (CWE-284) | com_config endpoints |
4.0.0–5.4.3, 6.0.0–6.0.3 | 5.4.4, 6.0.4 | 8.6 – HIGH |
Administrators running Joomla in production are advised to upgrade as soon as possible.
CVE-2026-21630 – SQL Injection in the com_content API
Summary
The GET /api/index.php/v1/content/articles endpoint accepts two client-supplied parameters – list[ordering] and list[direction] – without validating their values against the model’s whitelist. The supplied values are then passed into the query’s ORDER BY clause through an escape function that is only safe for quoted string literals, not for identifiers or expressions as used in ORDER BY.
Any user authorized to call the API can inject SQL expressions into the query to extract arbitrary data from the database – including administrator password hashes and active session tokens. CyStack confirmed exploitation using both time-based and boolean-based blind injection against a Joomla 6.0.3 instance.
This is a regression of CVE-2025-22207 – the same pattern was patched in another component, but that fix was not extended across the full API surface. This is also why Joomla committed the fix for CVE-2026-21630 to the API base controller (ApiController) rather than to com_content alone.
Impact
- Full database read via SQL injection: Blind SQL injection through the
com_contentAPI allows extraction of all data from the Joomla database, including the#__users,#__session, configuration tables, and data from any extension sharing the database. - Admin password hash extraction: The Super User’s bcrypt hash can be extracted and cracked offline to compromise the Joomla admin account.
- Active session hijacking: Active session tokens in the
#__sessiontable can be retrieved directly, enabling administrator session takeover without the need to crack passwords. - Privilege escalation to Super User: An exploitation chain from a low-privileged API account (only the
core.login.apipermission is required) leads to full site takeover. - Sensitive data breach: The entire website content, user personally identifiable information (PII), and secrets stored in the database are exposed, meeting the data breach criteria under GDPR and equivalent privacy regulations.
Credit: Antonio Morales (GitHub Security Lab Taskflow Agent) and vnth4nhnt (CyStack).
CVE-2026-23899 – Improper Access Check in the com_config API
Summary
The com_config API controller does not enforce the core.admin authorization check before returning or permitting modification of global configuration. While the administrator interface enforces this permission at both the dispatcher and controller tiers, the API layer inherits only the default core.edit check from the base controller.
As a result, any user with API access can read the full Joomla configuration – including database credentials, the secret key used for session and token integrity, SMTP credentials, and component-level tokens such as the com_joomlaupdate update token. The configuration update endpoint requires only core.edit, allowing users in the Editor group or higher to modify global configuration.
By default, Joomla grants core.login.api only to the Super User group, limiting the initial attack surface. However, real-world deployments commonly extend API access to lower-privileged user groups to support headless CMS, mobile backend, and third-party integration scenarios – in those environments, the vulnerability enables disclosure of sensitive information from a non-administrator account.
Impact
- Joomla configuration disclosure: Any API user can read the full Joomla global configuration, including sensitive keys and backend infrastructure credentials.
- Site
secretkey disclosure: The HMAC key used for session and authentication tokens is leaked, enabling an attacker to forge valid API bearer tokens for any account with a Joomla Token configured, including Super User accounts. - Database credentials disclosure: MySQL/MariaDB/PostgreSQL login credentials are leaked, allowing direct database access if the database port is reachable from the network.
- SMTP credentials disclosure: Mail server credentials are leaked and can be used to send phishing emails from the victim’s trusted domain.
- Configuration tampering by low-privileged users: Users in the Editor group or higher can modify the global configuration, including changing the
sendmailpath (leading to Remote Code Execution when chained with other vectors), enabling debug mode to expose stack traces, or altering CORS and session settings. - Update token exposure: The secret token for
com_joomlaupdateis leaked, potentially allowing manipulation of the Joomla auto-update process.
Credit: vnth4nhnt (CyStack).
Recommendations
- Upgrade Joomla to version 5.4.4 or 6.0.4.
- After upgrading, rotate the
secretkey, database credentials, and SMTP credentials. - Review API access logs and configuration changes from before the patch to identify indicators of exploitation.
- Restrict the list of user groups granted the
core.login.apipermission to the minimum required.
Timeline
| Date | Event |
|---|---|
| 2026-03-05 | SQL Injection vulnerability reported by Antonio Morales (GitHub Security Lab Taskflow Agent) |
| 2026-03-09 | SQL Injection vulnerability independently reported by vnth4nhnt (CyStack) |
| 2026-03-09 | Improper Access Check vulnerability reported by vnth4nhnt (CyStack) |
| 2026-03-31 | Joomla 5.4.4 and 6.0.4 released, patching both vulnerabilities. Public advisory. |
References
- Joomla Security Advisory [20260302]: https://developer.joomla.org/security-centre/1028-20260302-core-sql-injection-in-com-content-articles-webservice-endpoint.html
- Joomla Security Advisory [20260306]: https://developer.joomla.org/security-centre/1032-20260306-core-improper-access-check-in-webservice-endpoints.html
- CVE-2026-21630: https://www.cve.org/CVERecord?id=CVE-2026-21630
- CVE-2026-23899: https://www.cve.org/CVERecord?id=CVE-2026-23899
Related posts
Reading Time: 2 minutes CyStack Advisory ID CSA-2025-01 CVE IDs CVE-2025-59837 Severity High CVSS v3 Base 7.2 Recently, I analyzed a security […]
Reading Time: 2 minutesCyStack Advisory ID CSA-2022-01 CVE IDs CVE-2022-41938 Severity Critical CVSS v3 Base 9.0 Synopsis CyStack’s researchers recently discovered a Stored […]
Reading Time: 3 minutesCyStack Advisory ID CSA-2021-01 CVE IDs CVE-2021-44832 Severity Critical CVSS v3 Base 10.0 Synopsis Cyclos is a payment software created […]