CVE-2026-31910

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in Apache OFBiz due to improper input validation in the UI Factory classes. This issue affects all versions of Apache OFBiz before 24.09.06 [1]. The vulnerability can be triggered when the application processes specially crafted requests without adequately validating user-supplied URLs or paths.

Exploitation

An attacker with network access to an affected Apache OFBiz instance can exploit this vulnerability by sending a malicious request that causes the server to make unintended requests to internal or external resources. The attack requires no authentication or special privileges, and can be executed remotely over the network.

Impact

Successful exploitation allows an attacker to perform SSRF attacks, which may lead to blind file access or other internal resource enumeration. This can result in information disclosure, including the ability to probe internal network services or read sensitive files accessible to the OFBiz application server.

Mitigation

The vulnerability is fixed in Apache OFBiz version 24.09.06 [1]. Users should upgrade to this version immediately. There is no known workaround for this issue, and it is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Application of the latest patch is strongly recommended.