If your Joomla! site isn't fully locking down HTTPS connections, you're at risk. A recent vulnerability, CVE-2026-48902, affects Joomla! CMS versions 3.9.0 through 6.1.0. This flaw can expose users' password and username reset links to potential interception by downgrading, known as mixed content issues. This happens if the "Force SSL" option isn't set.
What happened
In Joomla! CMS versions 3.9.0 to 5.4.5 and 6.0.0 to 6.1.0, the password and username reset functions defaulted to plain HTTP links, even in HTTPS contexts. This occurs when the "Force SSL" flag is not active, essentially downgrading the secure transport. This issue, CVE-2026-48902, allows for possible interference and data capture during the link's transit. Joomla! has addressed this with updates in versions 5.4.6 and 6.1.1, released on May 26, 2026.
Why it matters for website owners
Website owners using affected Joomla! versions may inadvertently put users' sensitive reset actions at risk. Attackers could intercept or alter reset links, potentially leading to unauthorized access or credentials leak. Ensuring your site forces HTTPS for all communications is crucial to protect user data and maintain trust.
What to check on your site
- Verify your Joomla! version and update to 5.4.6 or 6.1.1 to patch this vulnerability. Use the Joomla Stack Checker for assistance.
- Ensure that the "Force SSL" option is enabled site-wide to avoid HTTP downgrades. Confirm this with the Hsts Checker.
- Run the SSL Checker to validate your SSL certificate configurations and renew any that are expired or misconfigured.
- Check HTTP headers with the Headers Analyzer to further secure your site's communication.
- Reinforce your HTTP server's response security using the Tls Deep Analysis.
Related reading
Sources
- Joomla on 2026-05-26
