Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache OFBiz allows low‑privilege users to supply a crafted filename to the content component, resulting in a path traversal exploit. By manipulating the pathname, an attacker can read arbitrary files from the server, such as configuration files, logs, or credentials. This flaw corresponds to CWE‑22 and provides confidentiality exposure without requiring elevated privileges.

Affected Systems

Any deployment of Apache OFBiz older than version 24.09.06 is affected. The vulnerability exists in the Content component of the framework, and all potential instances where the component is enabled and accessible via a web interface are vulnerable.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating a lack of publicly known exploitation. The attack vector is web‑based: an unauthenticated or low‑privilege user can trigger the flaw by accessing a URL that passes a filename to the content service. The real‑world risk is moderate, concentrated on confidentiality leakage, and no remote code execution is implied by the current description.

Generated by OpenCVE AI on May 19, 2026 at 11:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Apache OFBiz patch by upgrading to version 24.09.06 or later.
  • Limit the content component to authorized roles only, ensuring that only privileged users can request file rendering.
  • If the content component is not required, disable it or remove the relevant modules to eliminate the attack surface.
  • As a temporary measure, deploy a Web Application Firewall rule that blocks request parameters containing directory traversal sequences such as '..' or '/'.

Generated by OpenCVE AI on May 19, 2026 at 11:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Low-Privilege LFI in Content Component
Weaknesses CWE-22
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T09:16:59.872Z

Reserved: 2026-03-04T15:20:11.394Z

Link: CVE-2026-29220

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T10:16:22.610

Modified: 2026-05-19T10:16:22.610

Link: CVE-2026-29220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T12:30:04Z

Weaknesses