Description
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an LDAP injection flaw caused by improper neutralization of special elements during DN construction. This weakness can allow an attacker to manipulate LDAP queries, leading to authentication bypass and potentially unauthorized access to the system. The flaw is identified as CWE-90.

Affected Systems

Apache OFBiz by the Apache Software Foundation is affected. Any installation using a version prior to 24.09.06 is vulnerable. Users should examine whether their product uses these earlier releases.

Risk and Exploitability

The attack vector is likely through the authentication interface, where user-supplied credentials or parameters are incorporated into an LDAP query without adequate escaping. Based on the description, it is inferred that an attacker could craft input that alters the LDAP search and gain access. The exploit is of local or remote nature depending on the deployment. EPSS information is not available and the vulnerability is not listed in CISA KEV, indicating no known public exploits at this time; however, the severity of authentication bypass warrants careful consideration.

Generated by OpenCVE AI on May 19, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache OFBiz to version 24.09.06 or newer, which contains the fix for this LDAP injection flaw.
  • If an immediate upgrade is not feasible, temporarily disable LDAP authentication or restrict access to authentication endpoints until the patch can be applied.
  • Review any custom LDAP query logic in your OFBiz instance and ensure that all DN components are properly escaped or sanitized to neutralize special characters, following best practices for LDAP input handling.

Generated by OpenCVE AI on May 19, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Authentication Bypass due to Improper Neutralization of LDAP Special Elements in DN Construction
Weaknesses CWE-90
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T13:41:40.500Z

Reserved: 2026-04-22T16:25:14.812Z

Link: CVE-2026-41919

cve-icon Vulnrichment

Updated: 2026-05-19T13:06:53.637Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T10:16:24.380

Modified: 2026-05-19T15:16:30.760

Link: CVE-2026-41919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T12:00:04Z

Weaknesses