EUVD-2026-36169
Improper Authorization (CWE-285)
2026-06-10
GHSA-7c94-45hg-hmp3
GHSA-7c94-45hg-hmp3
Share
Lifecycle Timeline
2
Patch available
Jun 11, 2026 - 02:00 EUVD
Analysis Generated
Jun 10, 2026 - 18:17 vuln.today
Description PRE-NVD
Disclosed via oss-security. NVD scoring and full description are pending.
Articles & Coverage 2
AnalysisAI
Privilege escalation in Apache OFBiz before 24.09.07 allows a low-privileged authenticated user to bypass authorization controls in the updateOrRemove operation and obtain higher privileges than intended. The vulnerability stems from insufficient authorization enforcement on a specific action handler within the OFBiz service/controller layer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Access
Obtain low-privileged OFBiz credentials
Delivery
Authenticate to OFBiz web application
Exploit
Craft request targeting updateOrRemove action
Execution
Bypass authorization check in controller
Impact
Execute privileged operation as escalated user
Access
Obtain low-privileged OFBiz credentials
Delivery
Authenticate to OFBiz web application
Exploit
Craft request targeting updateOrRemove action
Execution
Bypass authorization check in controller
Impact
Execute privileged operation as escalated user
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid, authenticated session as a low-privileged user within the Apache OFBiz application - unauthenticated access is not sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or score was provided, limiting quantitative risk assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged OFBiz account - such as a customer portal user, a limited internal operator, or a compromised service account - crafts a request targeting the updateOrRemove action in a way that bypasses the authorization check. By exploiting the insufficient privilege validation, the attacker performs operations (such as modifying user roles, altering financial records, or changing system configuration) that should require administrative credentials, effectively escalating their access within the OFBiz application. … |
| Remediation | Upgrade Apache OFBiz to version 24.09.07, which is the vendor-confirmed fix per the advisory at https://seclists.org/oss-sec/2026/q2/873 and https://ofbiz.apache.org/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all Apache OFBiz deployments and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).