CVE-2026-56290 Google Chronicle · YARA-L

Detect CVE-2026-56290: Joomlack Page Builder Improper Access Control Exploitation in Google Chronicle

Detects exploitation attempts targeting CVE-2026-56290, an improper access control vulnerability (CWE-284) in Joomlack Page Builder for Joomla. This KEV-listed vulnerability allows unauthorized access to restricted Page Builder functionality, potentially enabling content manipulation, privilege escalation, or unauthorized administrative actions on affected Joomla installations.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Defense Evasion

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule cve_2026_56290_joomlack_access_control {
  meta:
    author = "df00tech Detection Platform"
    description = "Detects exploitation of CVE-2026-56290 Joomlack Page Builder improper access control"
    severity = "HIGH"
    yara_version = "YL2.0"
    rule_version = "1.0"

  events:
    $http.metadata.event_type = "NETWORK_HTTP"
    $http.network.http.request_url = /option=com_ckpagebuilder/
    $http.network.http.request_url = /task=(save|edit|delete|publish|apply)/
    $http.network.http.response_code = 200
    $ip = $http.principal.ip

  match:
    $ip over 10m

  condition:
    #http > 3
}
high severity medium confidence

Chronicle YARA-L rule detecting repeated successful HTTP requests to Joomlack Page Builder component with write-action task parameters within a 10-minute window, indicating active exploitation.

Data Sources

Chronicle Web Proxy LogsChronicle Network LogsGoogle Cloud Armor Logs

Required Tables

network_http

False Positives & Tuning

  • High-volume content publishing operations by legitimate editors creating multiple pages rapidly
  • Automated content synchronization tools operating on scheduled intervals
  • API-based integrations with third-party content management systems
  • Security researchers performing authorized assessments against test Joomla instances

Other platforms for CVE-2026-56290


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-56290 Unauthenticated Page Builder Access Probe

    Expected signal: Web server access log entry showing GET request to com_ckpagebuilder with task=edit parameter. Vulnerable systems return HTTP 200 with page builder editor content; patched systems return HTTP 403 or redirect to login.

  2. Test 2CVE-2026-56290 Unauthorized Page Content Save Attempt

    Expected signal: POST request to com_ckpagebuilder with task=page.save in web server access logs. Database write operation to Joomla content tables if exploitation succeeds. Joomla action log entry (if plugin enabled) showing content modification without proper user authorization.

  3. Test 3CVE-2026-56290 Page Builder Admin Function Access as Low-Privilege User

    Expected signal: Authentication request followed by access to Page Builder publish endpoint in web server logs. Joomla session table entry for subscriber_test user making requests to com_ckpagebuilder administrative tasks. Action log entries (if enabled) showing publish action attributed to subscriber-level user.

Unlock Pro Content

Get the full detection package for CVE-2026-56290 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections