Description
Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper input validation in Apache OFBiz UI Factory classes, allowing users to craft requests that the server will resolve and fetch. This SSRF flaw can be leveraged to access internal network resources or read arbitrary files through the application’s blind file access capability. The weakness is classified as CWE‑918, an injection of malicious URLs or hostnames into a server‑side resource request.

Affected Systems

Apache Software Foundation’s OFBiz product is affected before the 24.09.06 release. All configurations of OFBiz running a version earlier than 24.09.06 that expose the relevant UI Factory endpoints are susceptible. Users should verify the installed version and ensure it is updated to 24.09.06 or later to eliminate the flaw.

Risk and Exploitability

The CVSS score is 7.5, and the EPSS score is < 1%. The flaw bears full remote impact on data confidentiality and integrity, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit the SSRF vector by submitting a crafted parameter to the vulnerable UI Factory endpoint, triggering outbound calls that may reach privileged internal services or allow retrieval of local files.

Generated by OpenCVE AI on May 19, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Apache OFBiz release (24.09.06 or newer) to remove the SSRF flaw
  • If an immediate upgrade is not possible, restrict OFBiz’s outbound traffic through firewall rules, permitting access only to known, trusted destinations
  • Implement or enforce stringent input validation on UI Factory component parameters to block malformed or malicious URLs
  • Monitor OFBiz and web server logs for abnormal outbound requests that could indicate exploitation attempts

Generated by OpenCVE AI on May 19, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Improper Input Validation in UI Factory Classes Leads to SSRF and Blind File Access
Weaknesses CWE-918
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T18:37:19.274Z

Reserved: 2026-03-10T09:19:03.518Z

Link: CVE-2026-31910

cve-icon Vulnrichment

Updated: 2026-05-19T18:37:19.274Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T10:16:24.037

Modified: 2026-05-19T19:16:48.340

Link: CVE-2026-31910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:39:28Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)