Skip to main content

CVE-2026-21628

  • Advisory ID: ASTROID-2026-01
  • CVE ID: CVE-2026-21628
  • Project: Astroid Framework
  • Severity: High
  • Release Date: March 10, 2026
  • Affected Versions: Astroid Framework < 3.3.11
  • Fixed Version: Astroid Framework 3.3.11

Summary

A security vulnerability has been identified in the Astroid Framework that could potentially allow unauthorized actions under A security vulnerability has been identified in the Astroid Framework that could potentially allow unauthorized actions under the AJAX requests. The issue has been assigned CVE-2026-21628.

The vulnerability affects all versions of Astroid Framework prior to 3.3.11.

The Astroid development team has addressed the issue and released a security update in Astroid Framework 3.3.11.

Users are strongly advised to update their installations immediately.

What Happened?

The vulnerability was located in library/astroid/Admin.php, which is responsible for handling AJAX requests for the Astroid Framework administrator interface.

In affected versions, the code relied on Joomla’s checkToken() function to validate CSRF tokens for incoming requests. However, the implementation did not verify whether the request originated from an authenticated administrator session.

Because the CSRF token from the public /administrator login page was accepted as valid, an unauthenticated user could potentially use this token to submit requests to the Astroid AJAX endpoint.

  1. Visit the Joomla admin login page and grab the CSRF token from the HTML
  2. Send requests to the Astroid AJAX endpoint using that token
  3. Upload files, rename them, and install extensions, all without ever logging in

Resolution

This issue has been resolved in Astroid Framework 3.3.11.

The fix introduces an additional authorization check via a new checkAdminAuth() method. This method ensures that the current user has the required core.manage permission for com_templates before any AJAX request is processed.

This additional verification ensures that only properly authenticated administrators can access and execute administrative actions within the Astroid Framework.

Impact

All versions of Astroid Framework prior to 3.3.11 are affected, including legacy versions originally released under JoomDev.

The vulnerability may affect websites running both Joomla 4, Joomla 5, and Joomla 6 where vulnerable versions of Astroid are installed.

What you need to do right now

Check for Malicious Plugins Identified

  • System - BLPayload (plugins/system/blpayload/)
  • System - JCachePro (plugins/system/jcachepro/) companion plugin

Removal, Cleanup & Patching

  1. Plugin & File Removal

    • Disabled and uninstalled System - BLPayload plugin
    • Disabled and uninstalled System - JCachePro plugin
    • Manually deleted plugins/system/blpayload/ directory
    • Manually deleted plugins/system/jcachepro/ directory
    • Searched for and removed dropper files in /images/ directory (filenames like blp_.php, blr_.php, astroid_poc_*.php)
    • Deleted malicious cache files: plg_jcp_.html and plg_blpayload_ from /administrator/cache/
    • Scanned entire filesystem for additional backdoors/webshells

  2. Database Cleanup

    • Removed BLPayload entry from #__extensions table
    • Removed JCachePro entry from #__extensions table
    • Checked #__update_sites for rogue update server entries
    • Reviewed #__users for unauthorized admin accounts
    • Checked for injected content in article/template tables

  3. Access & Credentials

    • Changed all Joomla administrator passwords
    • Changed database user password and updated configuration.php
    • Changed FTP/SFTP and hosting control panel passwords
    • Regenerated Joomla $secret in configuration.php

  4. Patching & Hardening

    • Updated Astroid Framework to v3.3.11+ (Download it from the official release page and install it through your Joomla extension manager. This closes the vulnerability. If you manage multiple sites, you can push the update to all of them at once.)
    • Updated/reinstall Joomla core to latest stable release
    • Updated all remaining extensions
    • Removed unused/unrecognised extensions
    • Verified .htaccess and configuration.php were not tampered with
    • Checked server cron jobs for unauthorized entries
    • Cleared Joomla cache and /tmp/ directory

  5. Post-Cleanup Verification

    • Scanned site to confirm clean status
    • Checked Google Search Console for security warnings
    • Monitoring site logs for suspicious activity

In summary:

To address this issue, users should update the Astroid Framework to the latest version immediately.

Updating Astroid will close the security vulnerability; however, it cannot automatically detect or remove any malicious files that may have already been placed on a compromised website. Malware can appear in many different forms and locations within a site, and detecting it typically requires specialized security tools.

After updating, website administrators are strongly advised to:

  • Perform a full malware scan of your website
  • Review recently modified files and installed extensions
  • Remove any suspicious or unauthorized files

If your hosting provider offers server-side malware scanning or security services, we recommend contacting them for assistance in performing a thorough security check and cleaning your system if necessary.

Taking these steps will help ensure that your website is fully secure after applying the update. 🔐