CVE-2026-31380

Vulnerability

The vulnerability is an Expression Language Injection (CWE-917) in Apache OFBiz, specifically a FreeMarker Server-Side Template Injection (SSTI) that can be achieved via a duplicate parameter sanitization bypass. The issue affects Apache OFBiz versions before 24.09.06. The vulnerability arises when specially crafted input is passed through duplicate parameters that bypass the sanitization logic, allowing an attacker to inject malicious FreeMarker expressions into a user-facing template.

Exploitation

An attacker must have network access to an affected Apache OFBiz instance. By crafting HTTP requests with duplicate parameters that evade the sanitization filters, the attacker can inject FreeMarker template expressions into the application. The attacker does not need authenticated access if the vulnerable endpoint is exposed without authentication. The exploitation involves sending a malicious request containing EL statements that are processed by the FreeMarker engine, leading to SSTI.

Impact

Successful exploitation allows an attacker to execute arbitrary FreeMarker templates on the server, which can lead to information disclosure, modification of data, or potentially remote code execution depending on the privileges of the OFBiz application server. The impact is constrained by the Java sandbox and the permissions of the OFBiz process, but can still result in significant compromise of the application and its data.

Mitigation

The vulnerability is fixed in Apache OFBiz version 24.09.06 released on 2026-05-19 [1]. Users are strongly recommended to upgrade to this version. No known workarounds are available, and there is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog. If upgrading immediately is not possible, administrators should restrict network access to OFBiz endpoints and apply web application firewall rules to detect and block template injection patterns.