Apache OFBiz: 17 CVEs Disclosed in Single Advisory — Three Critical, Patch Now
Apache released OFBiz 24.09.06 on May 19, 2026, fixing 17 vulnerabilities including three critical-severity flaws spanning authentication bypass, LDAP injection, and hard-coded cryptographic keys.
Key findings
- 17 CVEs disclosed together on May 19, 2026, all fixed in OFBiz 24.09.06
- Three critical-severity bugs: auth bypass (CVE-2026-45434, CVSS 9.8), LDAP injection (CVE-2026-41919, CVSS 9.1), and hard-coded crypto key (CVE-2026-31986, CVSS 9.1)
- CVE-2026-45434 is an unauthenticated password-change logic flaw leading to RCE
- Four high-severity CVEs include code injection, two SSRF bugs, and an info disclosure flaw
- Bug classes span code injection, XSS, path traversal, EL injection, SSRF, template injection, and more
- No active exploitation reported as of disclosure date
Apache OFBiz, the open-source enterprise resource planning (ERP) system, received a massive security update on May 19, 2026, when version 24.09.06 shipped with fixes for 17 distinct CVEs. The batch — disclosed simultaneously by the Apache OFBiz security team — includes three critical-rated vulnerabilities (CVSS 9.8, 9.1, and 9.1) and four high-severity bugs, making it one of the most consequential single advisories for the project in recent years. All versions prior to 24.09.06 are affected.
Critical Flaws: Authentication Bypass, LDAP Injection, and Hard-Coded Keys
Three CVEs earned the "Critical" label. The most severe is CVE-2026-45434 (CVSS 9.8), an improper authentication vulnerability in the password-change logic that can lead directly to remote code execution. An unauthenticated attacker who can reach the OFBiz instance could exploit the flawed password-reset flow to gain full control of the system.
CVE-2026-41919 (CVSS 9.1) is an LDAP injection vulnerability — improper neutralization of special elements used in an LDAP query. An attacker capable of injecting crafted input into LDAP operations could bypass authentication, escalate privileges, or extract sensitive directory data.
Rounding out the critical trio is CVE-2026-31986 (CVSS 9.1), a hard-coded cryptographic key vulnerability. The use of static, embedded cryptographic keys undermines encryption protections entirely, allowing an attacker who discovers the key to decrypt sensitive communications or forge authenticated requests.
High-Severity Bugs: Code Injection, SSRF, and Information Disclosure
Four high-severity CVEs were also patched. CVE-2026-46586 (CVSS 8.8) is a code injection and eval injection flaw — improper control over dynamically evaluated code could let an authenticated attacker execute arbitrary commands on the server. CVE-2026-31910 (CVSS 7.5) and CVE-2026-29226 (CVSS 7.3) are both server-side request forgery (SSRF) vulnerabilities, with the latter specifically targeting the Content component operations. SSRF bugs in ERP systems are particularly dangerous because they can be leveraged to probe internal network services.
CVE-2026-31909 (CVSS 7.5) exposes sensitive information to unauthorized actors, potentially leaking internal configuration data or user details.
Medium-Severity Cluster: XSS, Path Traversal, EL Injection, and More
The remaining ten CVEs are rated Medium, but several carry significant risk in combination. CVE-2026-31906 (CVSS 6.1) and CVE-2026-31379 (CVSS 6.1) are cross-site scripting (XSS) flaws; the latter also involves path traversal and code injection vectors. CVE-2026-29220 (CVSS 6.5) is a path traversal vulnerability that could allow an attacker to read arbitrary files on the server.
CVE-2026-31380 (CVSS 6.5) is an Expression Language (EL) injection vulnerability — a bug class that has historically been leveraged for remote code execution in Java-based frameworks. CVE-2026-29207 (CVSS 6.5) involves improper neutralization of special elements used in a template engine, which could lead to template injection attacks.
Other medium-severity issues include CVE-2026-45187 (CVSS 6.5, improper authorization in Webtools), CVE-2026-35086 (CVSS 6.5, code injection in email services), CVE-2026-31378 (CVSS 6.5, improper input validation), CVE-2026-31388 (CVSS 5.3, improper access control in multi-tenant deployments), and CVE-2026-31387 (CVSS 5.3, improper authentication).
Patch Status and Mitigation
All 17 CVEs are fixed in Apache OFBiz version 24.09.06. Users running any earlier release — including all 23.x and earlier 24.x branches — are urged to upgrade immediately. The Apache OFBiz project does not backport security fixes to older release lines, so upgrading to 24.09.06 is the only complete remediation path.
No in-the-wild exploitation has been publicly reported for any of these CVEs as of the disclosure date, though the critical authentication bypass (CVE-2026-45434) was noted in a weekly security recap by The Hacker News as part of the broader May 2026 threat landscape.
Why This Batch Matters
Seventeen vulnerabilities in a single release is unusual even for a large project like OFBiz, and the presence of three critical-severity flaws — including an unauthenticated RCE chain through password-change logic — makes this advisory a must-patch event for any organization running the ERP system. The breadth of bug classes (code injection, SSRF, LDAP injection, hard-coded crypto, XSS, path traversal, EL injection, template injection) suggests a thorough security audit was conducted, and administrators should treat this as a signal to review their OFBiz deployment posture comprehensively.