CRITICAL🇵🇱 Wersja polska

CVE-2026-45434

CVSS 9.8v3.1pub. 2026-05-19upd. 2026-05-20

Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

🤖 AI Analysis
How it works

The flaw lies in the password change logic handling in Apache OFBiz — improper implementation of the authentication process allows bypassing user identity verification. An attacker remotely, without possessing an account or any permissions, can exploit this vulnerability to gain unauthorized access to the application. Consequently, remote code execution (RCE) on the server running the application is possible.

Impact

An attacker can gain full control over the system — from unauthorized access to data, through modification and deletion, to execution of arbitrary code on the server (RCE), which threatens the confidentiality, integrity, and availability of the system.

Mitigation & patch

Apache OFBiz must be immediately updated to version 24.09.06 or newer, which contains a fix eliminating the described vulnerability.

Who is affected

Apache OFBiz in all versions prior to 24.09.06

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Ofbiz

    APP
    Apache
    < 24.09.06
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References

Related vulnerabilities

CVE-2024-38856CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apache OFBiz — nieautoryzowane wykonanie kodu przez błędną autoryzację

CVE-2024-32113CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Path Traversal w Apache OFBiz umożliwiający zdalne wykonanie kodu

CVE-2026-41919CRITICAL9.1PL ✓ten sam produkt

LDAP Injection w Apache OFBiz umożliwiający nieautoryzowany dostęp

CVE-2026-31986CRITICAL9.1PL ✓ten sam produkt

Apache OFBiz — użycie zakodowanego na stałe klucza kryptograficznego

CVE-2025-54466CRITICAL9.8PL ✓ten sam produkt

Apache OFBiz: Code Injection w pluginie scrum umożliwia RCE