Skip to main content

Apache OFBiz CVE-2026-46586

| EUVDEUVD-2026-30876 HIGH
Code Injection (CWE-94)
2026-05-19 apache GHSA-rqcv-xm6x-2p88
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 17:22 vuln.today
CVSS changed
May 20, 2026 - 17:22 NVD
7.3 (HIGH) 8.8 (HIGH)
Patch available
May 19, 2026 - 11:16 EUVD
CVE Published
May 19, 2026 - 09:41 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.

AnalysisAI

Authenticated code injection in Apache OFBiz versions prior to 24.09.06 allows remote attackers with low-privileged accounts to execute arbitrary code via improperly neutralized directives in dynamically evaluated expressions. The flaw combines CWE-94 code injection with eval injection, yielding full confidentiality, integrity, and availability impact (CVSS 8.8). No public exploit identified at time of analysis, and EPSS rates near-term exploitation at 0.03% (8th percentile), but SSVC flags the issue as automatable, raising the risk of scripted abuse once a POC emerges.

Technical ContextAI

Apache OFBiz is an open-source enterprise resource planning (ERP) suite providing CRM, e-commerce, accounting, manufacturing, and supply-chain modules built on a Java stack with Groovy-based scripting and a service engine that supports dynamic expression evaluation. The CWE-94 (Improper Control of Generation of Code) root cause indicates that user-controllable input reaches an interpreter - historically in OFBiz this has involved Groovy/BeanShell evaluation through view handlers, screen widgets, or service URI parameters - allowing attacker-supplied directives to be parsed and executed by the runtime. The CPE entry cpe:2.3:a:apache_software_foundation:apache_ofbiz:*:*:*:*:*:*:*:* confirms the Apache Software Foundation product as the sole affected platform, with the eval-injection variant suggesting the sink is a dynamic evaluator (e.g., GroovyShell, ScriptEngine, or UEL) rather than a static template renderer.

RemediationAI

Vendor-released patch: 24.09.06 - upgrade Apache OFBiz to 24.09.06 or later as documented in the Apache advisory at https://lists.apache.org/thread/7mgjl81nrpxqtfcg6h5qtrx7wztbl4js. Until the upgrade can be deployed, restrict network reachability of the OFBiz web tier to trusted internal ranges (block public ingress on 443/8443/1099), audit user accounts to remove self-registration or low-privilege accounts not strictly required, and consider disabling unused webapps and view handlers that expose dynamic expression evaluation endpoints (groovyProgram, ViewHandlerExceptionEventHandler, and similar) via the relevant component.xml/controller.xml - note that disabling these will break customizations and integrations that depend on Groovy scripting. A WAF rule blocking requests that contain serialized Groovy/Java expressions or known OFBiz eval-sink query parameters can buy time but will not catch novel payload encodings, so it should be considered compensating rather than terminating control. Validate the patched version against the EUVD entry EUVD-2026-30876 before declaring closure.

Share

CVE-2026-46586 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy