How is CVE-2026-47342 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the OFBiz service across the network to exploit this vulnerability. Authentication (required): Any low-privilege account is sufficient; the attacker does not need admin credentials, but must hold at least a basic authenticated session in OFBiz. Victim interaction (not-required): No victim interaction is needed; the attacker can exploit the authorization bypass entirely on their own without requiring another user to take any action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-47342?

A successful attacker escalates their privileges and gains full read access to application data, including user records, order data, and any other information stored in OFBiz. The attacker can write or modify persisted data in OFBiz, including business records, user accounts, and configuration, enabling tampering or backdoor account creation. The attacker can disrupt availability of the OFBiz service, including triggering conditions that crash or destabilize the application for all users.

Back to search

HIGHCVE-2026-47342Published 2026-06-10Modified 2026-06-12CNA apache

CVE-2026-47342: Apache OFBiz: Privilege Escalation via updateOrRemove Authorization Bypass

A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 24.09.07
Affected Products: 1

HarborGuard Analysis

Synopsis

An authorization bypass enabling privilege escalation affects Apache OFBiz versions before 24.09.07. The vulnerability is reachable over the network and requires only a low-privileged authenticated account, with no victim interaction needed. Successful exploitation grants the attacker full read, write, and availability control over the affected OFBiz instance. A patched-image rebuild at version 24.09.07 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Apache Security advisories and NVD) within minutes of publication and matched against all customer images, including custom-built OFBiz images in private registries and CI pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting that score against each environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Apache OFBiz 24.09.07 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run regression tests against the new image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the OFBiz service across the network to exploit this vulnerability.
AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need admin credentials, but must hold at least a basic authenticated session in OFBiz.
Victim interactionNot required
No victim interaction is needed; the attacker can exploit the authorization bypass entirely on their own without requiring another user to take any action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

A successful attacker escalates their privileges and gains full read access to application data, including user records, order data, and any other information stored in OFBiz.
The attacker can write or modify persisted data in OFBiz, including business records, user accounts, and configuration, enabling tampering or backdoor account creation.
The attacker can disrupt availability of the OFBiz service, including triggering conditions that crash or destabilize the application for all users.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47342 is active across all connected registries and pipelines, matching against any image that packages Apache OFBiz before version 24.09.07. For environments where an affected image is identified, a rebuild at the fixed version (24.09.07) is available. Customers with auto-remediation enabled get a rebuilt image, a regression-test run against that image, and a pull request opened against affected workloads; for high-severity issues like this one, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, HarborGuard surfaces the finding with the CVSS 8.8 score and fix version pre-populated so reviewers can act without additional research.

See how HarborGuard automates this

Fix available

24.09.07

Affected packages

Apache Software Foundation / Apache OFBiz
< 24.09.07 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

lists.apache.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available