CVE-2026-56290: Joomlack Page Builder Improper Access Control Exploitation
Detects exploitation attempts targeting CVE-2026-56290, an improper access control vulnerability (CWE-284) in Joomlack Page Builder for Joomla. This KEV-listed vulnerability allows unauthorized access to restricted Page Builder functionality, potentially enabling content manipulation, privilege escalation, or unauthorized administrative actions on affected Joomla installations.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Joomlack
- Product
- Page Builder
Weakness (CWE)
Timeline
- Disclosed
- July 7, 2026
References & Proof of Concept
- https://www.joomlack.fr/en/joomla-extensions/page-builder-ck
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-56290
What is CVE-2026-56290 CVE-2026-56290: Joomlack Page Builder Improper Access Control Exploitation?
CVE-2026-56290: Joomlack Page Builder Improper Access Control Exploitation (CVE-2026-56290) maps to the Initial Access and Privilege Escalation and Defense Evasion tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-56290: Joomlack Page Builder Improper Access Control Exploitation, covering the data sources and telemetry it touches: Web Application Firewall Logs, IIS Logs, Common Security Log, Azure Monitor. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union CommonSecurityLog, W3CIISLog
| where TimeGenerated >= ago(7d)
| where RequestURL has_any ("/index.php?option=com_ckpagebuilder", "/index.php?option=com_pagebuilder", "/administrator/index.php?option=com_ckpagebuilder")
| where RequestURL has_any ("task=save", "task=edit", "task=delete", "task=publish", "view=page", "view=element")
| where isnotempty(RequestClientApplication)
| extend SuspiciousAccess = iff(
RequestURL has "administrator" and not(SourceIP in ("known_admin_ips")),
true, false
)
| project TimeGenerated, SourceIP, RequestURL, RequestMethod, SuspiciousAccess, RequestClientApplication, Computer
| order by TimeGenerated desc Detects HTTP requests targeting Joomlack Page Builder (com_ckpagebuilder) component endpoints with write/modify task parameters, which may indicate exploitation of CVE-2026-56290 improper access control.
Data Sources
Required Tables
False Positives
- Legitimate administrators editing page content through the Joomlack Page Builder interface
- Automated content publishing workflows using service accounts with proper credentials
- Security scanning tools performing authorized vulnerability assessments against the Joomla installation
- Content editors with legitimate access performing bulk page operations
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-56290: Joomlack Page Builder Improper Access Control Exploitation (CVE-2026-56290) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windows Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-56290
References (4)
- https://www.joomlack.fr/en/joomla-extensions/page-builder-ck
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-56290
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-56290 Unauthenticated Page Builder Access Probe
Expected signal: Web server access log entry showing GET request to com_ckpagebuilder with task=edit parameter. Vulnerable systems return HTTP 200 with page builder editor content; patched systems return HTTP 403 or redirect to login.
- Test 2CVE-2026-56290 Unauthorized Page Content Save Attempt
Expected signal: POST request to com_ckpagebuilder with task=page.save in web server access logs. Database write operation to Joomla content tables if exploitation succeeds. Joomla action log entry (if plugin enabled) showing content modification without proper user authorization.
- Test 3CVE-2026-56290 Page Builder Admin Function Access as Low-Privilege User
Expected signal: Authentication request followed by access to Page Builder publish endpoint in web server logs. Joomla session table entry for subscriber_test user making requests to com_ckpagebuilder administrative tasks. Action log entries (if enabled) showing publish action attributed to subscriber-level user.
Unlock Pro Content
Get the full detection package for CVE-2026-56290 including response playbook, investigation guide, and atomic red team tests.