Description
Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper input validation in Apache OFBiz UI Factory classes, allowing users to craft requests that the server will resolve and fetch. This SSRF flaw can be leveraged to access internal network resources or read arbitrary files through the application’s blind file access capability. The weakness is classified as CWE‑918, an injection of malicious URLs or hostnames into a server‑side resource request.

Affected Systems

Apache Software Foundation’s OFBiz product is affected before the 24.09.06 release. All configurations of OFBiz running a version earlier than 24.09.06 that expose the relevant UI Factory endpoints are susceptible. Users should verify the installed version and ensure it is updated to 24.09.06 or later to eliminate the flaw.

Risk and Exploitability

The CVSS score is not provided in the advisory, and EPSS information is unavailable, so the exact exploitation likelihood cannot be quantified. However, the flaw bears full remote impact on data confidentiality and integrity, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit the SSRF vector by submitting a crafted parameter to the vulnerable UI Factory endpoint, triggering outbound calls that may reach privileged internal services or allow retrieval of local files.

Generated by OpenCVE AI on May 19, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Apache OFBiz release (24.09.06 or newer) to remove the SSRF flaw
  • If an immediate upgrade is not possible, restrict OFBiz’s outbound traffic through firewall rules, permitting access only to known, trusted destinations
  • Implement or enforce stringent input validation on UI Factory component parameters to block malformed or malicious URLs
  • Monitor OFBiz and web server logs for abnormal outbound requests that could indicate exploitation attempts

Generated by OpenCVE AI on May 19, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Improper Input Validation in UI Factory Classes Leads to SSRF and Blind File Access
Weaknesses CWE-918
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T13:41:51.404Z

Reserved: 2026-03-10T09:19:03.518Z

Link: CVE-2026-31910

cve-icon Vulnrichment

Updated: 2026-05-19T13:41:02.682Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T10:16:24.037

Modified: 2026-05-19T15:16:29.590

Link: CVE-2026-31910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T11:30:03Z

Weaknesses