CVE-2026-31388

Vulnerability

Apache OFBiz versions before 24.09.06 contain an improper access control vulnerability in multi-tenant deployments. The bug is located in the program export feature, which fails to enforce tenant isolation correctly. An authenticated user in one tenant can export data belonging to another tenant through this feature. The issue affects all multi-tenant deployments running Apache OFBiz prior to 24.09.06 [1].

Exploitation

An attacker requires a valid authenticated account within a multi-tenant Apache OFBiz deployment. No special privileges are needed beyond normal user access for a tenant. The attacker can exploit the vulnerability by using the program export functionality, which does not properly verify that the data being exported belongs to the attacker's own tenant. The export request can be crafted to fetch data from other tenants by manipulating tenant identifiers or other parameters [1].

Impact

Successful exploitation results in unauthorized disclosure of data from other tenants. The impact is information disclosure—an attacker gains read access to sensitive business data, customer records, orders, or other tenant-specific information. The attacker does not gain write access or execute arbitrary code, but the confidentiality breach can expose private data across tenant boundaries. The scope is limited to the multi-tenant context; single-tenant deployments are not affected [1].

Mitigation

The vulnerability is fixed in Apache OFBiz version 24.09.06. Users running multi-tenant deployments should upgrade to this version immediately. There are no workarounds published. No evidence of exploitation in the wild has been reported. The CVE is not listed on CISA KEV as of the publication date [1].