Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution.

This issue affects Apache OFBiz: before 24.09.07.

Users are recommended to upgrade to version 24.09.07, which fixes the issue.
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a code injection flaw that lets a low-privileged authenticated user with the ability to edit Content/DataResource objects inject arbitrary FreeMarker template code. Such injected code can be executed by the OFBiz application engine, providing the attacker with the ability to run system commands, exfiltrate data, or otherwise compromise the host. The flaw is a direct instance of improper code generation, which falls under the identified weakness category.

Affected Systems

Affected installations are those running Apache OFBiz earlier than version 24.09.07 from the Apache Software Foundation. Any deployment retaining those legacy releases and granting content or data‑resource editing rights to users who are not fully trusted falls within the risk window. The vendor lists all pre‑24.09.07 builds as vulnerable.

Risk and Exploitability

No EPSS entry is published, and the vulnerability is not in the CISA KEV catalog, but the absence of these metrics does not diminish the severity, especially given the confirmed remote code execution capability. The threat model requires an authenticated user with moderate privileges; therefore, the exploit is relatively low in effort but high in impact. The best posture for the environment is to promptly remediate with the vendor’s patch to eliminate the code execution pathway.

Generated by OpenCVE AI on June 11, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache OFBiz to 24.09.07 or any later release that contains the fix.
  • Restrict Content/DataResource editing permissions to trusted administrators only until the upgrade is applied to limit the potential for template injection.
  • Disable or limit the rendering of user supplied data through FreeMarker when not necessary, ensuring that only sanitized inputs are passed to the template engine.
  • Monitor for any unusual template rendering activity and verify that the application logs record no unauthorized template evaluations.

Generated by OpenCVE AI on June 11, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
Vendors & Products Apache
Apache ofbiz

Wed, 10 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution. This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue.
Title Apache OFBiz: DataResource Low-Privileged Authenticated FreeMarker Template Injection Leads to Remote Code Execution
Weaknesses CWE-94
References

Subscriptions

Apache Ofbiz
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-10T22:42:04.290Z

Reserved: 2026-06-04T09:18:42.609Z

Link: CVE-2026-50223

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T23:16:49.777

Modified: 2026-06-10T23:16:49.777

Link: CVE-2026-50223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T01:00:06Z

Weaknesses