How is CVE-2026-50223 exploited?

Network reachability (required): The attacker must reach the OFBiz application over the network; the service must be exposed to the attacker's network path. Authentication (required): A low-privilege account with Content/DataResource editing privileges is sufficient; no administrative access is needed. Victim interaction (not-required): The attacker can complete the exploit entirely without involving or deceiving another user. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, memory layout knowledge, or special environmental setup.

What is the impact of CVE-2026-50223?

The attacker executes arbitrary operating system commands on the OFBiz host, gaining a foothold on the underlying server. All data accessible to the OFBiz process is readable, including database credentials, session tokens, and business records. The attacker can write or overwrite files on the host filesystem, enabling persistence or further lateral movement. The OFBiz service can be crashed or rendered unavailable, disrupting business operations dependent on it.

Back to search

HIGHCVE-2026-50223Published 2026-06-10Modified 2026-06-12CNA apache

CVE-2026-50223: Apache OFBiz: DataResource Low-Privileged Authenticated FreeMarker Template Injection Leads to Remote Code Execution

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution. This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 24.09.07
Affected Products: 1

HarborGuard Analysis

Synopsis

A server-side template injection vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to inject arbitrary FreeMarker template directives. The vulnerability is reachable over the network and requires no more than a standard low-privilege account, with no victim interaction needed. Successful exploitation gives the attacker full remote code execution on the host running OFBiz. A patched-image rebuild at version 24.09.07 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Apache OFBiz. Any image containing a vulnerable version of OFBiz (before 24.09.07) is flagged in the relevant registry and CI/CD pipeline scan.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 8.8 (HIGH) and applies per-environment compliance policy weighting to set priority and route the finding to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Apache OFBiz 24.09.07 becomes available through HarborGuard once the fix version is confirmed in upstream package feeds. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the OFBiz application over the network; the service must be exposed to the attacker's network path.
AuthenticationRequired
A low-privilege account with Content/DataResource editing privileges is sufficient; no administrative access is needed.
Victim interactionNot required
The attacker can complete the exploit entirely without involving or deceiving another user.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, memory layout knowledge, or special environmental setup.

Blast Radius

The attacker executes arbitrary operating system commands on the OFBiz host, gaining a foothold on the underlying server.
All data accessible to the OFBiz process is readable, including database credentials, session tokens, and business records.
The attacker can write or overwrite files on the host filesystem, enabling persistence or further lateral movement.
The OFBiz service can be crashed or rendered unavailable, disrupting business operations dependent on it.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image containing Apache OFBiz before 24.09.07, across registry scans and pipeline checks. The finding is scored at CVSS 8.8 HIGH and routed according to each environment's compliance policy. A rebuild at the fixed version 24.09.07 is available for affected images. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs regression tests, and opens a PR against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, teams are notified immediately and can initiate the rebuild manually from the HarborGuard dashboard. Until the upgrade is applied, consider restricting Content/DataResource editing privileges to the minimum set of accounts that require them and applying network policy to limit inbound access to the OFBiz service.

See how HarborGuard automates this

Fix available

24.09.07

Affected packages

Apache Software Foundation / Apache OFBiz
< 24.09.07 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

lists.apache.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available