RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI
Description
Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache OFBiz prior to 17.12.06 is vulnerable to unauthenticated remote code execution via unsafe deserialization in the SOAP framework.
Vulnerability
Apache OFBiz versions prior to 17.12.06 contain an unsafe deserialization flaw in the SOAP functionality. The vulnerability exists in the com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl class, which allows an attacker to craft a malicious serialized Java object and send it in a SOAP request. No authentication or special configuration is required to trigger the vulnerable code path [1].
Exploitation
An unauthenticated attacker can send a specially crafted SOAP request containing a malicious Java serialized object to the SOAP endpoint. The attacker does not need any prior access or user interaction. The exploit does not require a race window or write access; it is a straightforward deserialization attack over the network [1].
Impact
Successful exploitation enables an unauthenticated attacker to execute arbitrary code on the Apache OFBiz server with the privileges of the OFBiz process. This leads to full compromise of the application and underlying host, including data exfiltration, configuration modification, and lateral movement [1].
Mitigation
Apache OFBiz version 17.12.06, released on March 22, 2021, fixes the unsafe deserialization. Users should upgrade to this version or later. There is no known workaround for this vulnerability. The CVE is not listed in the CISA KEV catalog [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: Apache OFBiz 17.12.01 to 17.12.05
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.htmlmitrex_refsource_MISC
- lists.apache.org/thread.html/r078351a876ed284ba667b33aba29428d7308a5bd4df78f14a3df6661%40%3Cnotifications.ofbiz.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r0d97a3b7a14777b9e9e085b483629d2774343c4723236d1c73f43ff0%40%3Cdev.ofbiz.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/r3ee005dd767cd83f522719423f5e7dd316f168ddbd1dc51a13d4e244%40%3Cnotifications.ofbiz.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607%40%3Cnotifications.ofbiz.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rab718cfe6468085d7560c0c1ae816841e175886199f42e36efb8d735%40%3Cnotifications.ofbiz.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rbe512e5ccd6b11169c6379daa1234bc805f3d53c5a38224e956295ce%40%3Cnotifications.ofbiz.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d%40%3Ccommits.ofbiz.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc9bd0d3d794dc370bc70585960841868cb29b92dcc80552b84ca2599%40%3Cnotifications.ofbiz.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rec5e9fdcdca13099cfb29f632333f44ad1dd60d90f67b90434e4467a%40%3Cdev.ofbiz.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/reccf8c8a58337ce7c035495d3d82fbc549e97036a9789a2a7d9cccf6%40%3Cdev.ofbiz.apache.org%3Emitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.