Description
Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache OFBiz contains an improper authentication flaw tied to the password‑change logic that lets an attacker bypass standard login checks and gain programmatic control over the system. The issue permits exploitation that can culminate in the execution of arbitrary code on the host. The weakness is identified as a failure to verify authentication, aligning with CWE‑287. This defect undermines confidentiality, integrity, and availability by enabling attackers to launch malicious commands without legitimate credentials.

Affected Systems

All installations of Apache OFBiz older than version 24.09.06 are impacted. Users of the Apache Software Foundation’s OFBiz platform before the 24.09.06 release need to consider themselves at risk.

Risk and Exploitability

The CVSS score for this vulnerability is 8.8, indicating a high severity, while the EPSS score remains below 1%, suggesting a low but non-zero exploitation probability. The flaw is not included in CISA’s KEV catalog. Based on the description, the likely attack vector is remote: an unauthenticated attacker can craft requests that exploit the password‑change endpoint to trigger the logic flaw. If successful, the attacker may cook up a request that runs arbitrary code, thereby taking full control of the affected system.

Generated by OpenCVE AI on May 19, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official upgrade to Apache OFBiz version 24.09.06, which contains the necessary patch for the password‑change logic flaw.
  • Until the upgrade can be performed, disable or restrict access to the OFBiz password‑change API endpoint to prevent unauthenticated requests.
  • Implement network segmentation or firewall rules to limit external reach to the OFBiz application server, and actively monitor logs for anomalous authentication or password‑change attempts.

Generated by OpenCVE AI on May 19, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache Software Foundation
Apache Software Foundation apache Ofbiz
Vendors & Products Apache Software Foundation
Apache Software Foundation apache Ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCE
Weaknesses CWE-287
References

Subscriptions

Apache Ofbiz
Apache Software Foundation Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-20T15:34:15.862Z

Reserved: 2026-05-12T13:01:22.219Z

Link: CVE-2026-45434

cve-icon Vulnrichment

Updated: 2026-05-19T18:37:24.201Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T10:16:24.620

Modified: 2026-05-20T17:16:24.717

Link: CVE-2026-45434

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:45:08Z

Weaknesses