Skip to main content

Axelor Open Platform CVE-2026-63085

| EUVDEUVD-2026-44950 HIGH
Incorrect Authorization (CWE-863)
2026-07-16 VulnCheck GHSA-fgwg-8qwr-qvw3
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable, low-complexity attack needing an existing non-admin account (PR:L) and no user interaction; admin takeover yields full C/I/A impact with no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 18:18 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 16:32 vuln.today
Analysis Generated
Jul 16, 2026 - 16:32 vuln.today
CVE Published
Jul 16, 2026 - 15:56 cve.org
HIGH 8.7

DescriptionCVE.org

Axelor Open Platform versions 8.x prior to 8.2.2 contains an authorization bypass vulnerability that allows authenticated non-admin users to escalate privileges by exploiting unenforced field restrictions on nested relational save operations. Attackers can modify sensitive User record fields such as roles and group by submitting changes through a related entity's save path, bypassing the USER_RESTRICTED_FIELDS control and causing the JPA persistence layer to flush attacker-supplied admin role and group assignments on commit.

AnalysisAI

Privilege escalation in Axelor Open Platform 8.x before 8.2.2 lets an authenticated non-admin user grant themselves administrative roles and groups by writing to protected User fields through a nested relational save on a related entity, bypassing the USER_RESTRICTED_FIELDS control. The flaw (CWE-863, improper authorization) was reported by VulnCheck and has publicly available exploit code; it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privileged account
Delivery
Craft nested relational save touching User
Exploit
Embed admin role and group in payload
Execution
Bypass USER_RESTRICTED_FIELDS on nested path
Persist
Hibernate flushes assignments on commit
Impact
Account escalated to administrator

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated non-admin account on the target Axelor Open Platform instance (CVSS PR:L) and the ability to submit a save operation on an entity that has a relational path to the User record; the malicious admin role and group values are supplied within that nested relational payload so they bypass the USER_RESTRICTED_FIELDS check that only guards direct User saves. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The available signals are largely consistent and point to a genuine priority for any Axelor deployment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding an ordinary authenticated Axelor account crafts a save request against an entity that has a relation to their own User record, embedding admin role and group values into the nested User payload. On transaction commit, Hibernate flushes the attacker-supplied roles and group, silently promoting the account to administrator. …
Remediation Vendor-released patch: 8.2.2 - upgrade Axelor Open Platform to v8.2.2 or later (release: https://github.com/axelor/axelor-open-platform/releases/tag/v8.2.2). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Axelor Open Platform 8.x instances; restrict platform access to essential users only; enable detailed audit logging of user role and group modifications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-63085 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy