Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution
This issue affects Apache OFBiz: before 24.09.06.
Users are recommended to upgrade to version 24.09.06, which fixes the issue.
AnalysisAI
Remote code execution in Apache OFBiz before 24.09.06 stems from an improper authentication flaw in the password-change logic that allows unauthenticated remote attackers to bypass authentication and ultimately execute arbitrary code on the server. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against a widely deployed open-source ERP platform, though EPSS sits at only 0.07% and SSVC currently marks exploitation as 'none' - meaning no public exploit identified at time of analysis despite the severe technical impact.
Technical ContextAI
Apache OFBiz is an open-source enterprise resource planning (ERP) suite written in Java that bundles e-commerce, CRM, accounting, manufacturing, and supply-chain modules behind a shared web/servlet stack. The CWE-287 (Improper Authentication) classification indicates the password-change workflow fails to correctly verify the requester's identity or current credentials before mutating account state, which an attacker chains into RCE - historically OFBiz RCE chains have leveraged authentication bypasses to reach the Groovy/ECA scripting endpoints (such as ViewHandlerException paths or XML-RPC/SOAP dispatchers) that interpret attacker-controlled code in the server's JVM. The CPE cpe:2.3:a:apache_software_foundation:apache_ofbiz:*:*:*:*:*:*:*:* covers all OFBiz releases prior to the fixed 24.09.06 build.
RemediationAI
Vendor-released patch: Apache OFBiz 24.09.06 - upgrade immediately by following the Apache advisory at https://lists.apache.org/thread/yw4owrzl0yho1yx7oqxvr6xjkmln9tq8. Until the upgrade is deployed, restrict network exposure of the OFBiz front-end and back-end webapps (typically ports 443/8443 and 80/8080) to trusted IP ranges via firewall or reverse-proxy ACLs, and consider blocking access to the password-change and account-management endpoints (e.g., /accounting/control/, /webtools/control/ password-reset URIs) at a WAF - note that blocking these endpoints will prevent legitimate self-service password resets and break some admin workflows. Reviewing application and web-server logs for anomalous POSTs to password-change handlers and for unexpected child processes spawned by the OFBiz JVM is also recommended given the RCE outcome.
More in Apache Ofbiz
View allSame weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30877
GHSA-qcxg-xcph-9r99