CVE-2026-46586 Apache Software Foundation CVE debrief

Who should care

Apache OFBiz administrators, application owners, security teams, and platform teams that deploy or integrate OFBiz should treat this as a priority patch item, especially for internet-facing or broadly reachable installations.

Technical summary

The advisory describes an improper control of generation of code and an improper neutralization of directives in dynamically evaluated code (CWE-94 and CWE-95). According to the NVD record, the issue is exploitable over the network, requires low privileges, and can affect confidentiality, integrity, and availability at high impact. The vulnerable version range is all Apache OFBiz releases before 24.09.06.

Defensive priority

High. This is a remotely reachable code-injection class flaw with high impact and low privilege requirements, so affected OFBiz environments should be patched promptly.

Recommended defensive actions

• Upgrade Apache OFBiz to version 24.09.06 or later.
• Inventory all OFBiz deployments, including embedded or internally hosted instances, to confirm exposure.
• Apply the vendor-recommended fix and validate that no older OFBiz version remains in production, staging, or disaster-recovery environments.
• Review related security monitoring and change records around OFBiz for signs of anomalous activity while remediation is underway.

Evidence notes

The supplied NVD record lists CVSS v3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and identifies CWE-94 and CWE-95. The Apache security mailing-list advisory is the primary vendor reference, and the advisory states that versions before 24.09.06 are affected and that 24.09.06 fixes the issue.

Official resources