Skip to main content

Apache OFBiz CVE-2026-45434

| EUVDEUVD-2026-30877 CRITICAL
Improper Authentication (CWE-287)
2026-05-19 apache GHSA-qcxg-xcph-9r99
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 20, 2026 - 17:22 vuln.today
Severity Changed
May 20, 2026 - 17:22 NVD
HIGH CRITICAL
CVSS changed
May 20, 2026 - 17:22 NVD
8.8 (HIGH) 9.8 (CRITICAL)
Patch available
May 19, 2026 - 11:16 EUVD
CVE Published
May 19, 2026 - 09:40 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.

AnalysisAI

Remote code execution in Apache OFBiz before 24.09.06 stems from an improper authentication flaw in the password-change logic that allows unauthenticated remote attackers to bypass authentication and ultimately execute arbitrary code on the server. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against a widely deployed open-source ERP platform, though EPSS sits at only 0.07% and SSVC currently marks exploitation as 'none' - meaning no public exploit identified at time of analysis despite the severe technical impact.

Technical ContextAI

Apache OFBiz is an open-source enterprise resource planning (ERP) suite written in Java that bundles e-commerce, CRM, accounting, manufacturing, and supply-chain modules behind a shared web/servlet stack. The CWE-287 (Improper Authentication) classification indicates the password-change workflow fails to correctly verify the requester's identity or current credentials before mutating account state, which an attacker chains into RCE - historically OFBiz RCE chains have leveraged authentication bypasses to reach the Groovy/ECA scripting endpoints (such as ViewHandlerException paths or XML-RPC/SOAP dispatchers) that interpret attacker-controlled code in the server's JVM. The CPE cpe:2.3:a:apache_software_foundation:apache_ofbiz:*:*:*:*:*:*:*:* covers all OFBiz releases prior to the fixed 24.09.06 build.

RemediationAI

Vendor-released patch: Apache OFBiz 24.09.06 - upgrade immediately by following the Apache advisory at https://lists.apache.org/thread/yw4owrzl0yho1yx7oqxvr6xjkmln9tq8. Until the upgrade is deployed, restrict network exposure of the OFBiz front-end and back-end webapps (typically ports 443/8443 and 80/8080) to trusted IP ranges via firewall or reverse-proxy ACLs, and consider blocking access to the password-change and account-management endpoints (e.g., /accounting/control/, /webtools/control/ password-reset URIs) at a WAF - note that blocking these endpoints will prevent legitimate self-service password resets and break some admin workflows. Reviewing application and web-server logs for anomalous POSTs to password-change handlers and for unexpected child processes spawned by the OFBiz JVM is also recommended given the RCE outcome.

Share

CVE-2026-45434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy