PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45187 Apache Software Foundation CVE debrief

Apache OFBiz Webtools contains an improper authorization vulnerability (CWE-285) that could allow unauthorized access to administrative functionality. The vulnerability affects all versions prior to 24.09.06. Apache released version 24.09.06 on May 19, 2026 to address this issue. The CVSS 3.1 score of 6.5 (Medium) reflects network attack vector with low complexity, no required privileges or user interaction, and impacts to confidentiality and integrity. No known exploitation in the wild or ransomware campaign use has been reported.

Vendor
Apache Software Foundation
Product
Apache OFBiz
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

Organizations running Apache OFBiz versions prior to 24.09.06, particularly those with externally accessible Webtools interfaces. System administrators and security teams responsible for ERP system maintenance should prioritize patching.

Technical summary

The vulnerability exists in Apache OFBiz Webtools component due to improper authorization checks. Attackers can potentially access administrative functionality without proper authentication or authorization. The issue is resolved in version 24.09.06.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Apache OFBiz to version 24.09.06 or later
  • Review access controls on Webtools administrative interfaces
  • Monitor Apache OFBiz security announcements for additional guidance

Evidence notes

Vulnerability disclosed via Apache security mailing list on May 19, 2026. NVD record modified same day. Vendor advisory confirms fix in version 24.09.06.

Official resources

public