CVE-2026-29220

Vulnerability

A path traversal vulnerability exists in the Content component of Apache OFBiz versions before 24.09.06. The software fails to properly restrict file paths, allowing an attacker to escape the intended directory. This issue is classified as an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [1].

Exploitation

An attacker with low-privilege authenticated access to the OFBiz application can exploit this by crafting HTTP requests containing path traversal sequences (e.g., ../). No additional user interaction is required beyond the initial authentication. The vulnerability is reachable through the Content component's file handling endpoints [1].

Impact

Successful exploitation enables local file inclusion (LFI), allowing the attacker to read arbitrary files from the server's filesystem. This can lead to disclosure of sensitive information such as configuration files, database credentials, or other application secrets. Depending on the exposed data, privilege escalation may be possible [1].

Mitigation

Users should upgrade to Apache OFBiz version 24.09.06, which contains the fix for this vulnerability. No workarounds have been published. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].