Description
Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a hard‑coded cryptographic key that allows an attacker to forge JSON Web Tokens with the system’s default signing key and inject widget templates, resulting in remote code execution. Because the key is fixed and publicly known, an unauthenticated attacker can bypass authentication checks and execute arbitrary code on the host, compromising confidentiality, integrity, and availability.

Affected Systems

The flaw affects all installations of Apache OFBiz with a version earlier than 24.09.06. Vendors affected include the Apache Software Foundation, and the product is Apache OFBiz.

Risk and Exploitability

The CVSS score is not provided, but the EPSS score is unavailable and the vulnerability is not currently listed in CISA KEV, suggesting no common exploitation in the wild yet. However, because the flaw is unauthenticated and relies on a hard‑coded key that is known by all users, the risk of exploitation remains high. An attacker who can send a forged JWT or inject code into a widget can execute arbitrary commands on the target system. The lack of public exploit may reflect the difficulty or lack of discovery rather than low risk.

Generated by OpenCVE AI on May 19, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache OFBiz to version 24.09.06 or later, which removes the hard‑coded JWT signing key.
  • If upgrading is not possible, replace the default JWT signing key with a unique, securely generated key and update all related configuration files.
  • Sanitize widget template inputs and enforce strict content validation to prevent injection attacks.

Generated by OpenCVE AI on May 19, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template Injection
Weaknesses CWE-321
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T13:41:46.008Z

Reserved: 2026-03-10T16:21:27.187Z

Link: CVE-2026-31986

cve-icon Vulnrichment

Updated: 2026-05-19T13:09:19.623Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T10:16:24.143

Modified: 2026-05-19T15:16:29.777

Link: CVE-2026-31986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T11:30:03Z

Weaknesses