CVE-2026-45187

Vulnerability

An improper authorization vulnerability exists in Apache OFBiz Webtools, specifically in the scheduled job creation functionality. This allows users with low privileges, who should not have the ability to create system-level jobs, to submit such jobs. The vulnerability affects all versions of Apache OFBiz before 24.09.06. The issue lies in the Webtools component, which provides administration and monitoring capabilities. [1]

Exploitation

To exploit this vulnerability, an attacker must have a low-privileged account (e.g., a standard user) with access to the OFBiz Webtools interface. The attacker can then craft a request to create a scheduled job, bypassing authorization checks. No additional user interaction or complex prerequisites are required, as the flawed authorization logic is present in the job submission endpoint. [1]

Impact

Successful exploitation allows the attacker to submit system-level scheduled jobs, which can be executed with higher privileges. This leads to privilege escalation, potentially enabling the attacker to perform arbitrary actions on the server, such as executing code, accessing sensitive data, or disrupting services. The CVSS v3 score of 6.5 (Medium) reflects the potential for significant impact but requires authenticated access. [1]

Mitigation

The vulnerability is fixed in Apache OFBiz version 24.09.06. Users are strongly recommended to upgrade to this version immediately. No workarounds have been disclosed in the available references. [1]