CVE-2026-31986

Vulnerability

Apache OFBiz versions before 24.09.06 contain a Use of Hard-coded Cryptographic Key vulnerability [1]. The default JWT signing key is embedded in the software, allowing an attacker to forge valid authentication tokens. Additionally, a widget template injection flaw enables execution of arbitrary code on the server. The attack path requires no prior authentication and can be triggered remotely over HTTP.

Exploitation

An unauthenticated attacker with network access to the OFBiz instance can exploit this by crafting a JWT token using the known default signing key. The forged token is then used to access administrative endpoints that allow widget template injection. By injecting malicious template code, the attacker can execute arbitrary Java code on the server [1]. No user interaction or special privileges are required.

Impact

Successful exploitation leads to unauthenticated remote code execution (RCE) on the Apache OFBiz server [1]. The attacker gains full control over the affected system, including the ability to read, modify, or delete sensitive data, install malware, or pivot to internal networks. The confidentiality, integrity, and availability of the system are completely compromised.

Mitigation

Apache OFBiz version 24.09.06 fixes the vulnerability by removing the hard-coded cryptographic key and addressing the template injection issue [1]. Users are strongly advised to upgrade to this version immediately. No workarounds are provided for unpatched instances. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the disclosure date.