Description
Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper access control in Apache OFBiz allows attackers to exploit the program export feature in multi‑tenant deployments to obtain confidential data belonging to other tenants. The flaw arises because the export API does not enforce tenant boundaries, leading to unauthorized data disclosure. The vulnerability is classified as CWE‑284. It is inferred that the vulnerability can be exploited by sending a request to the export endpoint over the network, typically via an authenticated web session belonging to a tenant user.

Affected Systems

Apache OFBiz supplied by the Apache Software Foundation. All releases older than 24.09.06 that deploy the program export feature in a multi‑tenant configuration are affected.

Risk and Exploitability

The vulnerability has not been listed in CISA KEV and no EPSS score is available, so the current exploitation probability is unknown. The cross‑tenant data exposure indicates potential confidentiality loss if exploited. Because no public exploit has been disclosed, the risk assessment remains dependent on the sensitivity of data stored in each tenant, but the flaw is considered high risk for environments that rely on strict tenant isolation.

Generated by OpenCVE AI on May 19, 2026 at 11:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache OFBiz to version 24.09.06 or later, as recommended by the vendor.
  • Disable the Program Export feature for tenants that do not require it, or limit access to the feature to a minimal set of authorized users.
  • Review and enforce tenant‑specific permissions on all export‑related APIs to ensure proper isolation.
  • Segregate database schemas per tenant to reduce the risk of cross‑tenant data visibility.
  • Monitor logs for unauthorized export requests and set up alerts for anomalous export activity.

Generated by OpenCVE AI on May 19, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature
Weaknesses CWE-284
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T09:28:29.273Z

Reserved: 2026-03-09T10:03:19.808Z

Link: CVE-2026-31388

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T10:16:23.643

Modified: 2026-05-19T10:16:23.643

Link: CVE-2026-31388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T12:00:04Z

Weaknesses