Description
Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 24.09.06.

Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Published: 2026-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache OFBiz has an improper validation flaw in the traverseContent service that permits authenticated users to inject and execute arbitrary Groovy code. The vulnerability is a classic Code Injection flaw (CWE-94) combined with Eval Injection (CWE-95), enabling an attacker to run non‑native commands on the underlying system, thereby potentially compromising confidentiality, integrity, and availability of the OFBiz instance.

Affected Systems

The flaw exists in all Apache OFBiz releases prior to 24.09.06. The product is maintained by the Apache Software Foundation and is distributed as open‑source software. Only installations running a pre‑24.09.06 version are affected.

Risk and Exploitability

The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 8.8 classifies this as a high severity vulnerability. Exploitation requires that the attacker gains authentication to the OFBiz instance and then invokes the traverseContent service. The attack vector is inferred to be over the network where the service is exposed. No public exploits have been reported, but the severity of the potential impact warrants close attention.

Generated by OpenCVE AI on May 20, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to Apache OFBiz version 24.09.06 or later, which resolves the validation flaw in traverseContent.
  • If an upgrade cannot be performed immediately, restrict access to the traverseContent service to a narrow set of trusted administrators, and tie Groovy script execution permissions to the minimal necessary scope to prevent arbitrary code runs.
  • Verify that any custom or third‑party code that calls traverseContent has the same input validation safeguards and consider disabling Groovy scripting entirely in non‑essential deployments.

Generated by OpenCVE AI on May 20, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Title Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution
Weaknesses CWE-94
CWE-95
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-20T15:33:41.602Z

Reserved: 2026-05-15T08:45:12.744Z

Link: CVE-2026-46586

cve-icon Vulnrichment

Updated: 2026-05-19T18:37:25.145Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T10:16:24.733

Modified: 2026-05-20T17:16:25.157

Link: CVE-2026-46586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:45:36Z

Weaknesses