Skip to main content

Axelor Open Platform

1 CVEs product

Monthly

CVE-2026-63085 HIGH POC PATCH This Week

Privilege escalation in Axelor Open Platform 8.x before 8.2.2 lets an authenticated non-admin user grant themselves administrative roles and groups by writing to protected User fields through a nested relational save on a related entity, bypassing the USER_RESTRICTED_FIELDS control. The flaw (CWE-863, improper authorization) was reported by VulnCheck and has publicly available exploit code; it is not listed in CISA KEV. With a CVSS 4.0 base score of 8.7 and full compromise of confidentiality, integrity, and availability of the vulnerable system, any low-privileged account can effectively become an administrator.

Authentication Bypass Axelor Open Platform
NVD GitHub
CVSS 4.0
8.7
CVSS 8.7
HIGH POC PATCH This Week

Privilege escalation in Axelor Open Platform 8.x before 8.2.2 lets an authenticated non-admin user grant themselves administrative roles and groups by writing to protected User fields through a nested relational save on a related entity, bypassing the USER_RESTRICTED_FIELDS control. The flaw (CWE-863, improper authorization) was reported by VulnCheck and has publicly available exploit code; it is not listed in CISA KEV. With a CVSS 4.0 base score of 8.7 and full compromise of confidentiality, integrity, and availability of the vulnerable system, any low-privileged account can effectively become an administrator.

Authentication Bypass Axelor Open Platform
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy