CVE-2026-56290 — Joomlack Page Builder Improper Access Control Vulnerability

CVE-2026-56290

Joomlack Page Builder CK — CSRF-Token-Only Upload Check Bypassed via Public Token Harvesting

What is Joomlack Page Builder CK?

Page Builder CK is a drag-and-drop page-building extension for the Joomla content management system, published by the French developer Joomlack, used to visually construct page layouts without editing template code directly. Like other Joomla extensions, it exposes its own controller endpoints directly through Joomla's front-end routing, meaning any authorization weakness in those endpoints is reachable by any internet visitor to the site.

Overview

Joomlack Page Builder CK contains an improper access control vulnerability in a front-end file-upload endpoint that checked only a CSRF token — no authentication and no authorization check were performed. Because Joomla renders CSRF tokens into its own public-facing pages by design, any anonymous visitor can retrieve a valid token with a single ordinary page request and then reuse it to satisfy the upload endpoint's only check, fully neutralizing the protection. The endpoint additionally allowed the caller to influence the destination folder and filename, and the exploited artifact was later observed live at /media/com_pagebuilderck/gfonts/bhup.php — a small uploaded handler file used to receive further uploaded content.

Affected Versions

Product Vulnerable Fixed
Page Builder CK (Joomla 5) Up to and including 3.5.10 3.6.0
Page Builder CK (Joomla 4 back-port) Prior versions 3.4.10
Page Builder CK (Joomla 3 back-port) Prior versions 3.1.1

All three fixed versions were released on June 27, 2026.

Technical Details

  • Root cause: The upload endpoint enforced only a CSRF token check rather than a genuine authentication/authorization check, and CSRF tokens are trivially harvestable from any public page on the same Joomla site (CWE-284: Improper Access Control).
  • Attack vector: Network, no privileges or user interaction required (AV:N/AC:L/PR:N/UI:N). CVSS score: 9.8 (Critical).
  • Attack characteristics: A two-step attack: first, an unauthenticated GET request to any public page on the target site harvests a valid CSRF token; second, that token is replayed in a POST request to the upload endpoint, which also accepts attacker-influenced destination path/filename parameters, to place a PHP file in a web-accessible location.
  • Impact: Full remote code execution in the context of the web server process, with corresponding high confidentiality, integrity, and availability impact.

Discovery

Credited to Phil Taylor of mySites.guru, whose team's monitoring across a large base of Joomla sites detected a live web shell on a client's site within hours of the June 27, 2026 fix release, confirming active exploitation.

Exploitation Context

Exploitation was extremely rapid — a live web shell was detected on a connected site within hours of the patched version becoming available, suggesting exploitation may have begun before or immediately upon public disclosure. CISA added this CVE to the KEV catalog on July 7, 2026 alongside CVE-2026-48908 (JoomShaper SP Page Builder), a near-identical unauthenticated file-upload flaw in a different Joomla page-builder extension. This is the third of four related Joomla extension file-upload CVEs in this KEV batch attributed to mySites.guru (alongside CVE-2026-48908, CVE-2026-48939, and CVE-2026-56291), all surfaced via the same detection method: client-forwarded evidence of live compromise traced back to a vulnerable upload handler. The Centre for Cybersecurity Belgium issued a dedicated advisory for this CVE. No specific threat-actor name or exposure/Shodan count has been published.

Remediation

  1. Update Page Builder CK to 3.6.0 (Joomla 5), 3.4.10 (Joomla 4), or 3.1.1 (Joomla 3) immediately, matching your Joomla major version.
  2. Check for the known compromise artifact at media/com_pagebuilderck/gfonts/bhup.php and any similarly-named unexpected PHP files under media/com_pagebuilderck/.
  3. Review web server access logs for anomalous POST requests to the extension's upload endpoint, particularly those immediately preceded by a page-token-harvesting GET request from the same source.
  4. Restrict direct PHP execution in media/upload directories at the web server level as defense-in-depth against this class of vulnerability.
  5. Follow CISA BOD 26-04 guidance given the July 10, 2026 remediation deadline and evidence of very rapid post-patch exploitation.

Key Details

PropertyValue
CVE ID CVE-2026-56290
Vendor / Product Joomlack — Page Builder
NVD Published2026-06-29
NVD Last Modified2026-07-08
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-434 find similar ↗
CISA KEV Added2026-07-07
CISA KEV Deadline2026-07-10
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-10. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-06-27Joomlack releases Page Builder CK 3.6.0 (plus 3.4.10 and 3.1.1 back-ports) fixing the flaw
2026-06-27mySites.guru detects a live web shell on a connected site within hours of the fix release
2026-07-07Added to CISA Known Exploited Vulnerabilities catalog
2026-07-10CISA BOD 22-01 remediation deadline