Unrated severityCISA KEVNVD Advisory· Published Aug 5, 2024· Updated Oct 21, 2025

Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code

CVE-2024-38856

Description

Incorrect Authorization vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: through 18.12.14.

Users are recommended to upgrade to version 18.12.15, which fixes the issue.

Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

Affected products

Apache Software Foundation/Apache OFBizv5
Range: 0

Patches

6c3b0068a99b

https://github.com/apache/ofbiz-frameworkvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7wmitrevendor-advisory
issues.apache.org/jira/browse/OFBIZ-13128mitreissue-tracking
ofbiz.apache.org/download.htmlmitreproductmitigation
ofbiz.apache.org/security.htmlmitrerelated

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.076
exploit	0.030
kev	0.120
patch	-0.070
ransomware	0.000