Remote Code Execution Vulnerability in Apache OFBiz by Apache
CVE-2026-45434

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Ofbiz
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-45434?

An improper authentication vulnerability has been identified in Apache OFBiz, stemming from a flaw in the password-change logic. This issue can potentially allow attackers to execute remote code, posing serious security risks. It affects versions prior to 24.09.06. Users are urged to upgrade to version 24.09.06 to mitigate this vulnerability and protect their systems.

Affected Version(s)

Apache OFBiz 0 < 24.09.06

References

https://lists.apache.org/thread/yw4owrzl0yho1yx7oqxvr6xjk...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 12, 2026

Credit

Mike Cole

CVE-2026-45434 Data

JSON