Description
Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache OFBiz is vulnerable to a low‑privilege Server‑Side Request Forgery via its Content component. An attacker who can invoke the vulnerable operations can cause the server to initiate outbound HTTP requests to arbitrary URLs. This allows access to internal network resources, the collection of sensitive data, or the execution of unintended actions against internal services. The weakness is classified as CWE‑918.

Affected Systems

The vulnerability exists in all Apache OFBiz releases before version 24.09.06. Users running any of these versions are exposed.

Risk and Exploitability

The EPSS score is < 1%, and the issue is not listed in the CISA KEV catalog. The CVSS score is 7.3, but because the flaw permits arbitrary server‑initiated requests from a low‑privilege context, the potential impact is significant and the risk of exploitation is high if the Content component is exposed to untrusted users. The likely attack vector is through authenticated or unauthenticated access to the affected endpoint, requiring only low privileges to trigger the request.

Generated by OpenCVE AI on May 19, 2026 at 15:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache OFBiz to version 24.09.06 or later.
  • Restrict access to the Content component by implementing firewall rules or network segmentation that block outbound requests to internal network destinations.
  • Ensure that users with low‑privilege roles are unable to trigger the vulnerable Content component endpoints or otherwise apply access controls.

Generated by OpenCVE AI on May 19, 2026 at 15:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Low-Privilege SSRF in Content Component
Weaknesses CWE-918
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T18:37:11.474Z

Reserved: 2026-03-04T15:20:54.186Z

Link: CVE-2026-29226

cve-icon Vulnrichment

Updated: 2026-05-19T18:37:11.474Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T10:16:22.730

Modified: 2026-05-19T19:16:46.960

Link: CVE-2026-29226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:45:08Z

Weaknesses