Description
Improper Input Validation vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper input validation flaw that allows an attacker to override JSON attributes and bypass the URL allowlist, leading to remote code execution. This weakness is classified as CWE-20, and the CVE record also indicates no specific CWE mapping (NVD-CWE-noinfo). Successful exploitation would let the attacker execute arbitrary code, fully compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

The flaw exists in Apache OFBiz prior to configuration release 24.09.06. Only those installations running an earlier version are vulnerable; all newer releases contain the fix.

Risk and Exploitability

The CVSS score is 6.5, and the EPSS score is less than 1%. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is remote, where an attacker sends a crafted JSON payload or HTTP request to the vulnerable endpoint; no privileged access is required.

Generated by OpenCVE AI on May 19, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache OFBiz to version 24.09.06 or later, which contains the fix for the input validation flaw.
  • If an immediate upgrade is not possible, restrict incoming JSON to trusted sources and block or hard‑enforce the URL allowlist to prevent attribute override exploitation.
  • Deploy monitoring to detect anomalous JSON requests that attempt to override attributes, and investigate any such indications promptly.

Generated by OpenCVE AI on May 19, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: JSON Attribute Override and URL Allowlist Bypass Leads to Remote Code Execution
Weaknesses CWE-20
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T18:37:12.423Z

Reserved: 2026-03-09T08:16:41.659Z

Link: CVE-2026-31378

cve-icon Vulnrichment

Updated: 2026-05-19T18:37:12.423Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T10:16:23.137

Modified: 2026-05-19T19:16:47.147

Link: CVE-2026-31378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T16:30:09Z

Weaknesses