Authorization Bypass in Axelor Open Platform Affects User Permissions
CVE-2026-63085
Key Information:
- Vendor
Axelor
- Status
- Vendor
- CVE Published:
- 16 July 2026
Badges
What is CVE-2026-63085?
The Axelor Open Platform versions 8.x before 8.2.2 contain a vulnerability that allows authenticated non-admin users to exploit an authorization bypass. This security flaw allows users to escalate their privileges by taking advantage of unenforced field restrictions during nested relational save operations. Specifically, attackers can manipulate sensitive User record fields such as roles and group assignments by submitting changes through a related entity's save path, effectively bypassing established controls. This could lead to unauthorized modifications in user permissions, compromising the security integrity of the application.
Affected Version(s)
axelor-open-platform 8.0.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
