Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an unauthenticated actor to retrieve shipment label images stored within Apache OFBiz. The image data can contain sensitive information such as customer details, stock information, or tracking information, compromising confidentiality. The flaw is a classic case of information disclosure (CWE-200).

Affected Systems

Affected systems are installations of Apache OFBiz before version 24.09.06 deployed by organizations using the platform. The vulnerability is present in all prior releases, regardless of deployment size or usage scenario.

Risk and Exploitability

The public EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. No CVSS score is reported, but the flaw requires only unauthenticated HTTP access to a known endpoint, implying that any network location that can reach the OFBiz instance can exploit it. The lack of authentication checks represents a high exploitation potential for exposed instances, making patching critical.

Generated by OpenCVE AI on May 19, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch by upgrading to Apache OFBiz 24.09.06 or later.
  • Restrict remote access to the shipment label image endpoint so that only authorized users can retrieve images.
  • Conduct a security audit of the deployment to ensure no legacy endpoints that expose shipment label data remain, and review access logs for unusual activity.

Generated by OpenCVE AI on May 19, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Unauthenticated Shipment Label Image Disclosure
Weaknesses CWE-200
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T13:53:52.061Z

Reserved: 2026-03-10T09:12:50.643Z

Link: CVE-2026-31909

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T10:16:23.913

Modified: 2026-05-19T15:16:29.400

Link: CVE-2026-31909

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T11:30:03Z

Weaknesses