Description
Improper Authorization vulnerability in Apache OFBiz Webtools.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache OFBiz Webtools allows users with minimal privileges to create and submit scheduled jobs to the system. Because the application fails to enforce proper authorization checks, an attacker can submit jobs that run under the system's service account, thereby executing arbitrary commands, accessing sensitive data, or disrupting service availability. The weakness is correctly categorized as Improper Authorization (CWE-285).

Affected Systems

Any installation of Apache OFBiz older than version 24.09.06 is impacted. The vulnerability applies to all components exposed through the Webtools interface that enable job submission.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. The EPSS score is < 1%, suggesting low likelihood of exploitation, but the vulnerability still enables low‑privileged users to run system jobs. The issue is not reported in the CISA KEV catalog, yet it remains publicly documented by Apache and can be exploited by users who have authenticated to the platform but lack administrative rights.

Generated by OpenCVE AI on May 19, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache OFBiz to version 24.09.06 or newer, which contains the remediation.
  • If a prompt upgrade is infeasible, immediately remove or restrict the "Submit" permission for low‑privileged user roles from the Webtools job submission interface.
  • Configure your network or web application firewall to block direct access to /webtools/job/* endpoints for authenticated users who do not hold administrative roles.

Generated by OpenCVE AI on May 19, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Improper Authorization in Scheduled Job Creation Allows Low-Privileged Users to Submit System Jobs
Weaknesses CWE-285
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-19T13:51:59.941Z

Reserved: 2026-05-10T08:50:14.267Z

Link: CVE-2026-45187

cve-icon Vulnrichment

Updated: 2026-05-19T13:51:56.233Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T10:16:24.500

Modified: 2026-05-19T15:16:31.373

Link: CVE-2026-45187

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T11:30:03Z

Weaknesses