CVE-2026-31378

Vulnerability

Overview

CVE-2026-31378 is an improper input validation vulnerability in Apache OFBiz, affecting versions prior to 24.09.06. The flaw stems from insufficient validation of JSON attributes and a bypass of the URL allowlist, enabling an attacker to override critical attributes and bypass security controls [1].

Exploitation

An attacker with network access to an affected OFBiz instance can send specially crafted HTTP requests that exploit the JSON attribute override and URL allowlist bypass. No authentication is required, making the attack surface broad. The vulnerability can be triggered without prior knowledge of the system, leading to remote code execution [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the server, potentially leading to full compromise of the OFBiz application and underlying system. This includes data theft, service disruption, and further lateral movement within the network.

Mitigation

The Apache OFBiz project has released version 24.09.06, which addresses the issue by properly validating JSON inputs and enforcing the URL allowlist. Users are strongly advised to upgrade immediately. No workarounds have been published. The vulnerability was reported by Sho Odagiri of GMO Cybersecurity by Ierae, Inc. [1].