Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache OFBiz allows low‑privilege users to supply a crafted filename to the content component, resulting in a path traversal exploit. By manipulating the pathname, an attacker can read arbitrary files from the server, such as configuration files, logs, or credentials. This flaw corresponds to CWE‑22 and provides confidentiality exposure without requiring elevated privileges.

Affected Systems

Any deployment of Apache OFBiz older than version 24.09.06 is affected. The vulnerability exists in the Content component of the framework, and all potential instances where the component is enabled and accessible via a web interface are vulnerable.

Risk and Exploitability

The EPSS score of < 1% and a CVSS score of 6.5 indicate a moderate likelihood and impact. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploitation yet. Based on the description, the likely attack vector is a web‑based request where an attacker can supply a crafted filename to the content service, potentially triggering path traversal. The real‑world risk is moderate, concentrated on confidentiality leakage, and no remote code execution is implied by the current description.

Generated by OpenCVE AI on May 19, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Apache OFBiz patch by upgrading to version 24.09.06 or later.
  • Limit the content component to authorized roles only, ensuring that only privileged users can request file rendering.
  • If the content component is not required, disable it or remove the relevant modules to eliminate the attack surface.
  • As a temporary measure, deploy a Web Application Firewall rule that blocks request parameters containing directory traversal sequences such as '..' or '/'.

Generated by OpenCVE AI on May 19, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Tue, 19 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Low-Privilege LFI in Content Component
Weaknesses CWE-22
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T18:37:10.485Z

Reserved: 2026-03-04T15:20:11.394Z

Link: CVE-2026-29220

cve-icon Vulnrichment

Updated: 2026-05-19T18:37:10.485Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T10:16:22.610

Modified: 2026-05-19T19:16:46.780

Link: CVE-2026-29220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T17:00:12Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')