CVE-2026-46586

Vulnerability

An improper control of code generation (code injection) and improper neutralization of directives in dynamically evaluated code (eval injection) vulnerability exists in Apache OFBiz versions before 24.09.06 [1]. The flaw resides in the traverseContent service, which fails to properly validate user-supplied input, enabling the injection of arbitrary Groovy code. Versions prior to 24.09.06 are affected; version 24.09.06 fixed the issue.

Exploitation

Exploitation requires authenticated access to the OFBiz application [1]. An attacker with valid credentials can send crafted requests to the traverseContent service, supplying malicious Groovy code in parameters that are not sanitized. The service then dynamically evaluates this code, resulting in code execution on the server.

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary Groovy code on the server, leading to full compromise of the application's confidentiality, integrity, and availability (CIA). The attacker gains the same privileges as the running OFBiz process, which typically has broad access to the underlying system.

Mitigation

Apache OFBiz version 24.09.06, released on or before 2026-05-19, contains the fix for this vulnerability [1]. Users must upgrade to version 24.09.06 or later. No workarounds or alternative mitigations are documented in the references. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.