CVE-2026-31378 - Vulnerability Details

Description

Improper Input Validation vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Published: 2026-05-19

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper input validation flaw that allows an attacker to override JSON attributes and bypass the URL allowlist, leading to remote code execution. This weakness is classified as CWE-20. Successful exploitation would let the attacker execute arbitrary code, fully compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

The flaw exists in Apache OFBiz prior to configuration release 24.09.06. Only those installations running an earlier version are vulnerable; all newer releases contain the fix.

Risk and Exploitability

The CVSS score is not provided, and no EPSS data is available. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is remote, where an attacker sends a crafted JSON payload or HTTP request to the vulnerable endpoint; no privileged access is required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache OFBiz

unaffected

Version	Status	Constraints
`0`	affected	< 24.09.06

No data.

Vendor Product Confidence Versions

Apache

Ofbiz

95%

Version	Status	Scheme	Platform
`[0,24.09.06)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache OFBiz to version 24.09.06 or later, which contains the fix for the input validation flaw.
If an immediate upgrade is not possible, restrict incoming JSON to trusted sources and block or hard‑enforce the URL allowlist to prevent attribute override exploitation.
Deploy monitoring to detect anomalous JSON requests that attempt to override attributes, and investigate any such indications promptly.

Generated by OpenCVE AI on May 19, 2026 at 11:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://lists.apache.org/thread/cbl8qkqtxv90m6ssfwd58bnoh933v38t

History

Tue, 19 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache ofbiz
Vendors & Products		Apache Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title		Apache OFBiz: JSON Attribute Override and URL Allowlist Bypass Leads to Remote Code Execution
Weaknesses		CWE-20
References		https://lists.apache.org/thread/cbl8qkqtxv90m6ssfwd58bnoh933v38t

Subscriptions

Apache Ofbiz

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-05-19T09:21:18.503Z

Updated: 2026-05-19T13:19:19.288Z

Reserved: 2026-03-09T08:16:41.659Z

Link: CVE-2026-31378

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-19T10:16:23.137

Modified: 2026-05-19T10:16:23.137

Link: CVE-2026-31378

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-19T12:00:04Z

Weaknesses

CWE-20

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31378", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-09T08:16:41.659Z", "datePublished": "2026-05-19T09:21:18.503Z", "dateUpdated": "2026-05-19T13:19:19.288Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache OFBiz", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "24.09.06", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Sho Odagiri of GMO Cybersecurity by Ierae, Inc."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Input Validation vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 24.09.06.Users are recommended to upgrade to version 24.09.06, which fixes the issue."}], "value": "Improper Input Validation vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 24.09.06.\n\nUsers are recommended to upgrade to version 24.09.06, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-05-19T09:21:18.503Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/cbl8qkqtxv90m6ssfwd58bnoh933v38t"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache OFBiz: JSON Attribute Override and URL Allowlist Bypass Leads to Remote Code Execution", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-05-19T13:19:12.682901Z", "id": "CVE-2026-31378", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-19T13:19:19.288Z"}}]}}

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object