Description
A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges



This issue affects Apache OFBiz: before 24.09.07.

Users are recommended to upgrade to version 24.09.07, which fixes the issue.
Published: 2026-06-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an authenticated user with low privileges to gain higher privileges by bypassing authorization checks on updateOrRemove operations. The flaw is a classic authorization bypass, classified as CWE‑285. Attackers can elevate their access rights without needing additional privileges, potentially compromising the entire system.

Affected Systems

Apache Software Foundation’s Apache OFBiz, versions earlier than 24.09.07. The application defaults to a low privilege user that can exploit the flaw to step up privileges.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, and the EPSS score is below 1% with no KEV listing, suggesting limited current exploitation evidence. Nonetheless, exploitation is straightforward for any authenticated user: send a request to the vulnerable updateOrRemove endpoint and obtain elevated rights. An attacker can then perform any action permitted by the higher privilege level. The risk is high because it removes the distinction between low‑ and high‑level users within the application.

Generated by OpenCVE AI on June 12, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official fix by upgrading to Apache OFBiz 24.09.07 or newer.
  • If an upgrade cannot be performed immediately, restrict access to the updateOrRemove endpoints for users with low privileges and audit access control lists for improper permissions.
  • Deploy monitoring and intrusion detection rules to flag unexpected privilege changes or unauthorized activity on privileged endpoints.

Generated by OpenCVE AI on June 12, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Wed, 10 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue.
Title Apache OFBiz: Privilege Escalation via updateOrRemove Authorization Bypass
Weaknesses CWE-285
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-12T12:44:44.347Z

Reserved: 2026-05-19T12:16:23.340Z

Link: CVE-2026-47342

cve-icon Vulnrichment

Updated: 2026-06-10T22:41:59.149Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T23:16:48.507

Modified: 2026-06-12T19:31:41.303

Link: CVE-2026-47342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:45:09Z

Weaknesses