Description
Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper access control in Apache OFBiz allows attackers to exploit the program export feature in multi‑tenant deployments to obtain confidential data belonging to other tenants. The flaw arises because the export API does not enforce tenant boundaries, leading to unauthorized data disclosure. The vulnerability is classified as CWE‑284. It is inferred that the vulnerability can be exploited by sending a request to the export endpoint over the network, typically via an authenticated web session belonging to a tenant user.

Affected Systems

Apache OFBiz supplied by the Apache Software Foundation. All releases older than 24.09.06 that deploy the program export feature in a multi‑tenant configuration are affected.

Risk and Exploitability

The CVSS score of 5.3 classifies the vulnerability as medium severity. The vulnerability has not been listed in CISA KEV and the EPSS score is < 1%, indicating a very low exploitation probability. The cross‑tenant data exposure indicates potential confidentiality loss if exploited. Because no public exploit has been disclosed, the risk assessment remains dependent on the sensitivity of data stored in each tenant, but the flaw is considered high risk for environments that rely on strict tenant isolation.

Generated by OpenCVE AI on May 19, 2026 at 15:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache OFBiz to version 24.09.06 or later, as recommended by the vendor.
  • Disable the Program Export feature for tenants that do not require it, or limit access to the feature to a minimal set of authorized users.
  • Review and enforce tenant‑specific permissions on all export‑related APIs to ensure proper isolation.
  • Segregate database schemas per tenant to reduce the risk of cross‑tenant data visibility.
  • Monitor logs for unauthorized export requests and set up alerts for anomalous export activity.

Generated by OpenCVE AI on May 19, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature
Weaknesses CWE-284
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T18:37:16.419Z

Reserved: 2026-03-09T10:03:19.808Z

Link: CVE-2026-31388

cve-icon Vulnrichment

Updated: 2026-05-19T18:37:16.419Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T10:16:23.643

Modified: 2026-05-19T19:16:47.840

Link: CVE-2026-31388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:45:08Z

Weaknesses