Apache OFBiz Patches 17 CVEs Including Three Critical Flaws in Single Advisory
Apache released OFBiz 24.09.06 on May 19, 2026, fixing 17 vulnerabilities including three critical-severity bugs spanning authentication bypass, LDAP injection, and hard-coded cryptographic keys.
Apache OFBiz, the open-source enterprise resource planning (ERP) system, received a massive security update on May 19, 2026, when version 24.09.06 shipped with fixes for 17 distinct CVEs. The batch — disclosed simultaneously by the Apache OFBiz security team — includes three critical-rated vulnerabilities (CVSS 9.8, 9.1, and 9.1) and four high-severity bugs, making it one of the most consequential single advisories for the project in recent years.
Three CVEs earned the "Critical" label. The most severe is CVE-2026-45434 (CVSS 9.8), an improper authentication vulnerability in the password-change logic that can lead directly to remote code execution. An unauthenticated attacker who can reach the OFBiz instance could exploit the flawed password-reset flow to gain full control of the system.
CVE-2026-41919 (CVSS 9.1) is an LDAP injection vulnerability — improper neutralization of special elements used in an LDAP query. An attacker capable of injecting crafted input into LDAP operations could bypass authentication, escalate privileges, or extract sensitive directory data.
Rounding out the critical trio is CVE-2026-31986 (CVSS 9.1), a hard-coded cryptographic key vulnerability. The use of static, embedded cryptographic keys undermines encryption protections entirely, allowing an attacker who discovers the key to decrypt sensitive communications or forge authenticated requests.
Four high-severity CVEs were also patched. CVE-2026-46586 (CVSS 8.8) is a code injection and eval injection flaw — improper control over dynamically evaluated code could let an authenticated attacker execute arbitrary commands on the server. CVE-2026-31910 (CVSS 7.5) and CVE-2026-29226 (CVSS 7.3) are both server-side request forgery (SSRF) vulnerabilities, with the latter specifically targeting the Content component operations. CVE-2026-31909 (CVSS 7.5) exposes sensitive information to unauthorized actors.
The remaining ten CVEs are rated Medium, but several carry significant risk. CVE-2026-31906 and CVE-2026-31379 (both CVSS 6.1) are cross-site scripting flaws; the latter also involves path traversal and code injection vectors. CVE-2026-31380 (CVSS 6.5) is an Expression Language (EL) injection vulnerability — a bug class historically leveraged for remote code execution in Java-based frameworks.
All 17 CVEs are fixed in Apache OFBiz version 24.09.06, and no backporting is available for older release lines. No in-the-wild exploitation has been publicly reported as of the disclosure date, though the critical authentication bypass (CVE-2026-45434) was noted in a weekly security recap by The Hacker News.