Categories: Cyber Security News

Apache OFBiz Flaw Exploited for Auth Bypass and RCE Attacks

A critical authentication bypass vulnerability in Apache OFBiz, tracked as CVE-2026-45434, has been publicly disclosed, allowing attackers to bypass forced password-change restrictions and achieve full remote code execution (RCE) on unpatched servers.

Disclosed on May 19–20, 2026, and assigned a CVSS 3.1 score of 9.8 (Critical), the flaw affects all Apache OFBiz versions before 24.09.06 across both the legacy 18.12.x branch and the 24.09.x series through 24.09.05.

Apache OFBiz is a widely deployed open-source Enterprise Resource Planning (ERP) framework used across manufacturing, retail, and finance sectors.

The platform’s ProgramExport endpoint has repeatedly proven to be a high-value target, featuring in multiple previous RCE chains, including CVE-2024-45195 and CVE-2024-38856.

Table of Contents

Toggle

Apache OFBiz Vulnerability

The flaw resides in OFBiz’s LoginWorker.checkLogin() method, which handles authentication across the platform.

When an administrator enables the requirePasswordChange flag on a user account, a common hardening step following credential leaks or during onboarding, the account should remain locked until the user completes a password reset through the dedicated ChangePassword form.

However, checkLogin() only validates the return value of login() against the string "error".

Since a locked account returns "requirePasswordChange" instead, the conditional check evaluates to false, effectively treating the response as a successful authentication.

An attacker who possesses valid credentials for any flagged account can inject requirePasswordChange=Y as a client-controlled HTTP parameter, trigger an inline password change, and gain immediate access to any protected endpoint, all within a single POST request.

Chaining this with Apache OFBiz’s ProgramExport.groovy endpoint, which in versions before 4.09.06 lacked both permission checks and a Groovy sandbox elevates the impact from a workflow bypass to full OS-level command execution.

Researchers at Aretiq AI noted this is consistent with CVE-2023-51467, a prior auth bypass rooted in the same requirePasswordChange logic that also scored 9.8, suggesting the root cause was never fully remediated in earlier patch cycles.

The exploitation risk is particularly high because Apache OFBiz ships with over ten demo accounts, including admin, flexadmin, and demoadmin all using the well-known default password ofbiz.

Any internet-facing instance that retains these credentials, including development, staging, or recently deployed production environments, is trivially exploitable.

Successful exploitation grants the attacker full JVM access, enabling OS command execution, database exfiltration, backdoor installation, and lateral network movement.

In the researchers’ test environment, OFBiz ran as root, resulting in complete system compromise.

A proof-of-concept Python exploit has been developed and confirmed on OFBiz 24.09.05 running OpenJDK 17 on Ubuntu 24.04, returning uid=0(root) in test conditions.

Patch and Mitigations

Apache addressed the vulnerability through three commits in version 24.09.06:

Commit 6516157 — Removed the client-controlled requirePasswordChange HTTP parameter; the flag is now read exclusively from the database
Commit 771efc4 — Added an ENTITY_MAINT permission check to ProgramExport.groovy
Commit c0592a3 — Introduced a SecureASTCustomizer Groovy sandbox with import wallowlisting method restrictions, and a 40+ pattern blocklist for dangerous calls

Organizations running Apache OFBiz are strongly urged to upgrade to version 24.09.06 immediately.

Additionally, administrators should audit all user accounts for retained default credentials, disable or remove demo data on production instances, and restrict external access to the /webtools/control/ProgramExport endpoint at the network perimeter.

Detection guidance is available through Suricata network signatures targeting the requirePasswordChange=Y parameter combined with groovyProgram POST bodies, and YARA rules for scanning OFBiz source trees and JAR files for vulnerable LoginWorker.java and ProgramExport.groovy patterns.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Apache OFBiz Flaw Exploited for Auth Bypass and RCE Attacks appeared first on Cyber Security News.

Critical Apache Tomcat Vulnerabilities Put Servers at Risk of RCE Attacks

The Apache Software Foundation has disclosed two critical security vulnerabilities affecting multiple versions of Apache Tomcat, with one flaw presenting a serious risk of remote code execution on vulnerable servers. The flaws impact Apache Tomcat versions 9, 10, and 11, prompting urgent warnings for administrators to upgrade their installations immediately.…

October 28, 2025

In "Cyber Security News"

Critical Apache Commons Text Vulnerability Enables Remote Code Execution Attacks

A newly disclosed security flaw in Apache Commons Text, tracked as CVE-2025-46295, has been identified as a remote code execution (RCE) vulnerability. That could allow attackers to compromise systems using vulnerable versions of the library. The issue impacts Apache Commons Text versions before 1.10.0, which contain unsafe interpolation features. That may be exploited when…

December 18, 2025

In "Cyber Security News"

Claude Uncovers 13-Year-Old RCE Flaw in Apache ActiveMQ in Just 10 Minutes

A critical remote code execution (RCE) vulnerability has been disclosed in Apache ActiveMQ Classic, a flaw that sat undetected for over a decade and was ultimately discovered not by a human researcher manually combing through code, but by Anthropic’s Claude AI model in under 10 minutes. Tracked as CVE-2026-34197, the…

April 8, 2026

In "Cyber Security News"

rssfeeds-admin