CVE-2026-31387

Vulnerability

An improper authentication vulnerability exists in Apache OFBiz versions before 24.09.06. The issue stems from cookie manipulation that allows authenticated users to forge JSON Web Tokens (JWT) and impersonate other accounts. This affects all versions prior to 24.09.06 [1].

Exploitation

An attacker must have valid authentication credentials to an OFBiz instance. By manipulating cookies, the attacker can forge JWTs to impersonate other users, including those with higher privileges. The exact steps involve intercepting and modifying cookie values to generate a forged JWT that the application trusts [1].

Impact

Successful exploitation allows the attacker to impersonate any other authenticated user, potentially gaining unauthorized access to sensitive data or performing actions on behalf of the victim. This compromises confidentiality and integrity, and may lead to privilege escalation if the impersonated user has elevated privileges [1].

Mitigation

The vulnerability is fixed in Apache OFBiz version 24.09.06. Users are recommended to upgrade immediately. No workarounds are mentioned in the advisory [1].