CVE-2026-41919 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache OFBiz with LDAP integration for authentication or directory services; security teams managing ERP systems; identity and access management administrators responsible for directory service security

Technical summary

The vulnerability exists in Apache OFBiz's LDAP integration components where user-supplied input is incorporated into LDAP queries without adequate sanitization. Attackers can inject LDAP filter syntax to alter query logic, potentially bypassing authentication checks or extracting directory information. The attack requires no authentication and is exploitable over the network. OFBiz deployments using LDAP for user authentication or directory synchronization are at highest risk. The fix in 24.09.06 implements proper input validation and parameterized LDAP queries.

Defensive priority

critical

Recommended defensive actions

• Upgrade Apache OFBiz to version 24.09.06 or later immediately
• If immediate patching is not feasible, restrict network access to OFBiz administrative interfaces and LDAP-dependent authentication endpoints
• Review LDAP query construction in custom OFBiz extensions for proper input validation
• Monitor authentication logs for anomalous LDAP query patterns or unexpected directory traversal attempts
• Validate that upstream LDAP servers implement query filtering and rate limiting as defense-in-depth

Evidence notes

CWE-90 (LDAP Injection) confirmed via Apache security advisory. Affected versions confirmed through CPE criteria: all Apache OFBiz versions before 24.09.06. CVSS vector confirms network-accessible, unauthenticated attack with high confidentiality and integrity impact.

Official resources