Support

TL;DR: There is nothing to worry about, but you can of course block this request with a .htaccess rule.

Joomla's API application expects to see an Accepts header with specific content types when you're making a legitimate API request. If this header is missing completely, or when it does not like its contents, it will immediately throw the Joomla\CMS\Application\Exception\NotAcceptable exception, blocking the request.

Even if that wasn't the case, the Joomla API application will then proceed to check the Authorization header for the (very secure) Joomla API access token. This is a very secure token. The token is never stored verbatim anywhere. Its two seeds are stored one in the database, and the other one in the filesystem. They are combined at runtime to create the token right before it's compared (with a time-safe string comparison function) to the provided token. I wrote that code myself, and it was audited by the most experienced core contributors. Since the attacker won't know this token their request will be blocked.

Even if they somehow have a valid token, it needs to be a Super User token. The only way to get that information is, basically, to have already completely compromised your site. I am talking about a complete filesystem and database dump. Clearly, if that was the case they wouldn't be making a stupid API call which is bound to fail, so that's not a concern.

The next thing the Joomla API application does is check the route, the stuff after /api. The route shared/config/config.env is invalid, so it would at best result in a 404 error and that's if the attacker already had a Super User token, i.e. if they had already compromised your site.

So, no, this is nothing to worry about. It's a script kiddie doing something bound to fail.

If you want, you can of course create a .htaccess rule to block any URL starting with /api/shared/config just like so:

RewriteRule ^api/shared/config/ - [F,L]

Add it to the rules to add at the top of the file.