Joomla 6.0.4 Known Issues

Last Updated: 31 March 2026

Joomla 6.0.4 was released on 31 March 2026.

Changed default-ACL for com_ajax in admin views

So far, com_ajax and associated handlers have been excluded from the check, that requires a valid admin-user session in the administrator application. So, while code that exposes the respective com_ajax handlers (i.e. a module or a component) was protected by the check, the ajax handlers itself have been publicly accessible.

While it's a best practice to always perform ACL checks in own code, it was considered a risk to exclude all ajax handlers by default. Instead, 5.3.4/6.0.4 now by default prevents calling ajax handlers in the administrator application unless the handler is explicitly allowed.

This is a breaking change.

Required changes

Add the Joomla\CMS\Plugin\Attribute\AllowUnauthorizedAdministratorAccess to the respective handler methods. See the AJAX handler of the webauthn plugin as a boilerplate.

Changed default-ACL for com_ajax in admin views​

Required changes​

Changed default-ACL for com_ajax in admin views

Required changes