By rssfeeds-admin Disclosed on May 19–20, 2026, and assigned a CVSS 3.1 score of 9.8 (Critical), the flaw affects all Apache OFBiz versions before 24.09.06 across both the legacy 18.12.x branch and the 24.09.x series through 24.09.05.
Apache OFBiz is a widely deployed open-source Enterprise Resource Planning (ERP) framework used across manufacturing, retail, and finance sectors.
The platform’s ProgramExport endpoint has repeatedly proven to be a high-value target, featuring in multiple previous RCE chains, including CVE-2024-45195 and CVE-2024-38856.
Apache OFBiz Vulnerability
The flaw resides in OFBiz’s LoginWorker.checkLogin() method, which handles authentication across the platform.
When an administrator enables the requirePasswordChange flag on a user account, a common hardening step following credential leaks or during onboarding, the account should remain locked until the user completes a password reset through the dedicated ChangePassword form.
However, checkLogin() only validates the return value of login() against the string "error".
Since a locked account returns "requirePasswordChange" instead, the conditional check evaluates to false, effectively treating the response as a successful authentication.
An attacker who possesses valid credentials for any flagged account can inject requirePasswordChange=Y as a client-controlled HTTP parameter, trigger an inline password change, and gain immediate access to any protected endpoint, all within a single POST request.
Chaining this with Apache OFBiz’s ProgramExport.groovy endpoint, which in versions before 4.09.06 lacked both permission checks and a Groovy sandbox elevates the impact from a workflow bypass to full OS-level command execution.
Researchers at Aretiq AI noted this is consistent with CVE-2023-51467, a prior auth bypass rooted in the same requirePasswordChange logic that also scored 9.8, suggesting the root cause was never fully remediated in earlier patch cycles.
The exploitation risk is particularly high because Apache OFBiz ships with over ten demo accounts, including admin, flexadmin, and demoadmin all using the well-known default password ofbiz.
Any internet-facing instance that retains these credentials, including development, staging, or recently deployed production environments, is trivially exploitable.
Successful exploitation grants the attacker full JVM access, enabling OS command execution, database exfiltration, backdoor installation, and lateral network movement.
In the researchers’ test environment, OFBiz ran as root, resulting in complete system compromise.
A proof-of-concept Python exploit has been developed and confirmed on OFBiz 24.09.05 running OpenJDK 17 on Ubuntu 24.04, returning uid=0(root) in test conditions.
Patch and Mitigations
Apache addressed the vulnerability through three commits in version 24.09.06:
- Commit 6516157 — Removed the client-controlled
requirePasswordChangeHTTP parameter; the flag is now read exclusively from the database - Commit 771efc4 — Added an
ENTITY_MAINTpermission check toProgramExport.groovy - Commit c0592a3 — Introduced a
SecureASTCustomizerGroovy sandbox with import wallowlisting method restrictions, and a 40+ pattern blocklist for dangerous calls
Organizations running Apache OFBiz are strongly urged to upgrade to version 24.09.06 immediately.
Additionally, administrators should audit all user accounts for retained default credentials, disable or remove demo data on production instances, and restrict external access to the /webtools/control/ProgramExport endpoint at the network perimeter.
Detection guidance is available through Suricata network signatures targeting the requirePasswordChange=Y parameter combined with groovyProgram POST bodies, and YARA rules for scanning OFBiz source trees and JAR files for vulnerable LoginWorker.java and ProgramExport.groovy patterns.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Apache OFBiz Flaw Exploited for Auth Bypass and RCE Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.