CVE-2026-45434

Vulnerability

Apache OFBiz versions prior to 24.09.06 contain an improper authentication vulnerability in the password-change logic. This flaw allows an attacker to bypass authentication mechanisms by manipulating the password change workflow, potentially leading to remote code execution. The vulnerability is classified as critical (CVSS 9.8) and affects all builds before the fixed release [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication or user interaction. The attacker sends crafted HTTP requests to the password-change endpoint, bypassing the intended authentication checks. Once the authentication is bypassed, the attacker leverages the logic flaw to achieve remote code execution. No special privileges or network position beyond internet access is required [1].

Impact

Successful exploitation grants the attacker arbitrary code execution on the affected Apache OFBiz server. This can lead to full compromise of confidentiality, integrity, and availability of the system, as the attacker gains the same privileges as the OFBiz application (often a privileged user) [1].

Mitigation

Users are advised to upgrade to Apache OFBiz version 24.09.06 or later, which resolves the vulnerability. No workarounds or patches for earlier versions have been disclosed. As of this publication, the CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog [1].