CVE-2026-29207

Vulnerability

A server-side template injection (SSTI) vulnerability exists in the Content component of Apache OFBiz. The software fails to properly neutralize special elements used in a template engine when processing Data Resource records with dataTemplateTypeId = "FTL". This allows an attacker who can create or modify such records to inject FreeMarker template directives. The issue affects Apache OFBiz versions before 24.09.06 [1].

Exploitation

An attacker must have authenticated access to the OFBiz application and possess sufficient privileges to create or edit Data Resource records (e.g., a member of the "Ecommerce Customer" security group which previously included content management grants). The attacker sets the dataTemplateTypeId field to "FTL" and embeds malicious FreeMarker template code in the resource content. When the Content component renders this resource, the injected code is executed [1].

Impact

Successful exploitation results in remote code execution (RCE) in the context of the OFBiz server. The attacker can execute arbitrary system commands, read or write files, and potentially compromise the entire application and underlying host. The injection occurs server-side, so no user interaction beyond the initial authenticated request is required [1].

Mitigation

Upgrade to Apache OFBiz version 24.09.06, released on 2026-05-19, which removes support for Data Resource records with dataTemplateTypeId = "FTL" and removes content management grants from the "Ecommerce Customer" security group. Users should also manually remove these permissions from any production sites as recommended in the advisory. No workaround is available for earlier versions [1].