Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an unauthenticated actor to retrieve shipment label images stored within Apache OFBiz. The exposure of these images can lead to a disclosure of sensitive information. The flaw is a classic case of information disclosure (CWE-200).

Affected Systems

Affected systems are installations of Apache OFBiz before version 24.09.06 deployed by organizations using the platform. The vulnerability is present in all prior releases, regardless of deployment size or usage scenario.

Risk and Exploitability

The public EPSS score is < 1% and it is not listed in the CISA KEV catalog. The CVSS score is 7.5, indicating high severity. The vulnerability appears to require only unauthenticated HTTP access to a known endpoint, implying that any network location that can reach the OFBiz instance can exploit it; it is inferred rather than explicitly documented in the provided text. The lack of authentication checks represents a high exploitation potential for exposed instances, making patching critical.

Generated by OpenCVE AI on May 19, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-supplied patch by upgrading to Apache OFBiz 24.09.06 or later.
  • Restrict remote access to the shipment label image endpoint so that only authorized users can retrieve images.
  • Conduct a security audit of the deployment to ensure no legacy endpoints that expose shipment label data remain, and review access logs for unusual activity.

Generated by OpenCVE AI on May 19, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Unauthenticated Shipment Label Image Disclosure
Weaknesses CWE-200
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T18:37:18.308Z

Reserved: 2026-03-10T09:12:50.643Z

Link: CVE-2026-31909

cve-icon Vulnrichment

Updated: 2026-05-19T18:37:18.308Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T10:16:23.913

Modified: 2026-05-19T19:16:48.170

Link: CVE-2026-31909

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:39:29Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor