CVE-2021-26040 – This vulnerability allows authenticated users w... (How to Fix)

Q: What is the severity of CVE-2021-26040?

CVE-2021-26040 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows authenticated users with media manager access to delete files without proper permission checks in Joomla! 4.0.0. Attackers can exploit this to delete critical files, potentially causing denial of service or compromising website functionality. All Joomla! 4.0.0 installations with media manager enabled are affected.

📋 TL;DR

This vulnerability allows authenticated users with media manager access to delete files without proper permission checks in Joomla! 4.0.0. Attackers can exploit this to delete critical files, potentially causing denial of service or compromising website functionality. All Joomla! 4.0.0 installations with media manager enabled are affected.

💻 Affected Systems

Products:

Joomla!

Versions: 4.0.0 only

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Joomla! 4.0.0; earlier versions and later versions are not vulnerable. Requires authenticated user with media manager access.

📦 What is this software?

Joomla\! by Joomla

View all CVEs affecting Joomla\! →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers delete critical system files, configuration files, or website content, causing complete website outage, data loss, or requiring full restoration from backups.

🟠

Likely Case

Attackers delete media files, uploaded content, or configuration files, disrupting website functionality and requiring manual restoration.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized file deletions within intended scope.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.1 and later

Vendor Advisory: https://developer.joomla.org/security-centre/861-20210801-core-insufficient-access-control-for-com-media-deletion-endpoint

Restart Required: No

Instructions:

1. Backup your Joomla! installation and database. 2. Update to Joomla! 4.0.1 or later via the Joomla! Update component in administrator panel. 3. Verify update completed successfully.

🔧 Temporary Workarounds

Disable media manager for non-admin users

all

Restrict media manager access to only administrator accounts to prevent exploitation by lower-privileged users.

Navigate to Users > Access Levels in Joomla! admin panel and modify permissions for non-admin groups to remove media manager access.

Implement file system permissions

linux

Set restrictive file permissions on critical directories to prevent deletion even if vulnerability is exploited.

chmod 755 /path/to/joomla/media
chmod 644 /path/to/joomla/media/*

🧯 If You Can't Patch

Restrict media manager access to trusted administrator accounts only
Implement regular backups and monitor file deletion logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Joomla! version in administrator panel or via 'Help > System Information'. If version is exactly 4.0.0, system is vulnerable.

Check Version:

Check Joomla! administrator panel or examine /administrator/manifests/files/joomla.xml file version tag

Verify Fix Applied:

After updating, verify version shows 4.0.1 or later in administrator panel. Test media deletion with non-admin accounts to confirm proper permission checks.

📡 Detection & Monitoring

Log Indicators:

Unauthorized file deletion attempts in Joomla! logs
Multiple DELETE requests to com_media endpoints from non-admin users
Unexpected file removal events in system logs

Network Indicators:

HTTP DELETE requests to /administrator/index.php?option=com_media&task=api.files&path= from non-admin IPs

SIEM Query:

source="joomla.log" AND ("com_media" AND "delete" OR "DELETE") AND NOT user="admin"

📊 Metadata

CVE ID: CVE-2021-26040

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-863

Published: August 24, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26040, you might also want to check these: