Hard-coded Cryptographic Key Vulnerability in Apache OFBiz
CVE-2026-31986

9.1CRITICAL

Key Information:

Vendor: Apache
Status: Apache Ofbiz
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-31986?

A vulnerability has been identified in Apache OFBiz due to the presence of a hard-coded cryptographic key that can be exploited by malicious actors. This flaw impacts versions prior to 24.09.06, creating potential risks associated with unauthorized access and data exposure. It is strongly advised for users to upgrade to the latest version, 24.09.06, to ensure their systems are protected against this vulnerability.

Affected Version(s)

Apache OFBiz 0 < 24.09.06

References

https://lists.apache.org/thread/2hl9xoqm8tq8b22x6vnmtp7tg...

vendor-advisory

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Mar 10, 2026

Credit

Lidor B / thisis0xczar of Novee Security

CVE-2026-31986 Data

JSON