Description
A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges



This issue affects Apache OFBiz: before 24.09.07.

Users are recommended to upgrade to version 24.09.07, which fixes the issue.
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an authenticated user with low privileges to gain higher privileges by bypassing authorization checks on updateOrRemove operations. The flaw is a classic authorization bypass, classified as CWE‑285. Attackers can elevate their access rights without needing additional privileges, potentially compromising the entire system.

Affected Systems

Apache Software Foundation’s Apache OFBiz, versions earlier than 24.09.07. The application defaults to a low privilege user that can exploit the flaw to step up privileges.

Risk and Exploitability

The entry has no publicly available CVSS, EPSS, or KEV listing, suggesting it may not yet be widely exploited. Nonetheless, exploitation is straightforward for any authenticated user: send a request to the vulnerable updateOrRemove endpoint and obtain elevated rights. An attacker can then perform any action permitted by the higher privilege level. The risk is high because it removes the distinction between low‑ and high‑level users within the application.

Generated by OpenCVE AI on June 11, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official fix by upgrading to Apache OFBiz 24.09.07 or newer.
  • If an upgrade cannot be performed immediately, restrict access to the updateOrRemove endpoints for users with low privileges and audit access control lists for improper permissions.
  • Deploy monitoring and intrusion detection rules to flag unexpected privilege changes or unauthorized activity on privileged endpoints.

Generated by OpenCVE AI on June 11, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Wed, 10 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue.
Title Apache OFBiz: Privilege Escalation via updateOrRemove Authorization Bypass
Weaknesses CWE-285
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-10T22:41:59.149Z

Reserved: 2026-05-19T12:16:23.340Z

Link: CVE-2026-47342

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T23:16:48.507

Modified: 2026-06-10T23:16:48.507

Link: CVE-2026-47342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T00:30:45Z

Weaknesses