PatchSiren cyber security CVE debrief
CVE-2026-31388 Apache Software Foundation CVE debrief
Apache OFBiz versions prior to 24.09.06 contain an Improper Access Control vulnerability (CWE-284) affecting multi-tenant deployments. The vulnerability, published 2026-05-19, allows unauthorized access with a CVSS 3.1 score of 5.3 (Medium severity). The attack vector is network-based with low attack complexity, requiring no privileges or user interaction. Apache has released version 24.09.06 to remediate this issue. Organizations running multi-tenant OFBiz deployments should prioritize upgrading to the fixed version.
- Vendor
- Apache Software Foundation
- Product
- Apache OFBiz
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Organizations running Apache OFBiz in multi-tenant configurations, particularly service providers and enterprises with shared ERP instances.
Technical summary
Improper Access Control (CWE-284) in Apache OFBiz multi-tenant deployments allows unauthorized network-based access. Fixed in version 24.09.06. CVSS 5.3 Medium severity.
Defensive priority
medium
Recommended defensive actions
- Upgrade Apache OFBiz to version 24.09.06 or later
- Review multi-tenant deployment configurations for unauthorized access patterns
- Monitor Apache OFBiz security mailing list for additional guidance
Evidence notes
Vulnerability confirmed via NVD and Apache security mailing list. Affects all versions before 24.09.06. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
Official resources
-
CVE-2026-31388 CVE record
CVE.org
-
CVE-2026-31388 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
2026-05-19