CVE-2026-29226

Vulnerability

Server-Side Request Forgery (SSRF) vulnerability exists in the Apache OFBiz Content component operations. Affected versions are Apache OFBiz before 24.09.06. The issue allows an authenticated user with low privileges to craft requests that trigger server-side HTTP requests to arbitrary destinations [1].

Exploitation

An attacker must have low-privilege authenticated access to an Apache OFBiz instance. By manipulating input to the Content component, the attacker can force the server to make outgoing requests to attacker-controlled URLs or internal resources. No special network position or user interaction beyond standard low-privilege login is required [1].

Impact

Successful exploitation enables the attacker to perform SSRF, sending HTTP requests from the OFBiz server to internal or external systems. This can lead to information disclosure, access to internal services, or further network reconnaissance. The attacker gains the ability to probe and potentially interact with resources behind the server’s firewall [1].

Mitigation

Upgrade to Apache OFBiz version 24.09.06, which fixes the vulnerability. The fix was released on 2026-05-19. No workarounds have been disclosed in the available references. The vulnerability is not known to be listed in the CISA Known Exploited Vulnerabilities catalog as of publication date [1].