PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-29220 Apache CVE debrief

CVE-2026-29220 is a path traversal issue in Apache OFBiz affecting versions before 24.09.06. Apache recommends upgrading to 24.09.06, which fixes the issue. The NVD record maps the weakness to CWE-22.

Vendor
Apache
Product
OFBiz
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

Administrators and security teams running Apache OFBiz instances, especially any deployment still on a version earlier than 24.09.06.

Technical summary

The issue is described as an improper limitation of a pathname to a restricted directory, which is the standard path traversal weakness class (CWE-22). The affected product is Apache OFBiz before 24.09.06. The supplied sources do not include a CVSS vector or score.

Defensive priority

High

Recommended defensive actions

  • Upgrade Apache OFBiz to version 24.09.06 or later.
  • Inventory all OFBiz deployments and confirm no older versions remain in production or test environments.
  • Review any file-handling or upload-related controls around OFBiz deployments as part of normal hardening.
  • Validate the fix after upgrade and track the Apache security advisory and NVD record for any updates.

Evidence notes

Source corpus indicates: CVE published and modified on 2026-05-19; NVD status is "Received"; weakness is listed as CWE-22; Apache security mailing list thread is referenced by NVD; the vendor attribution in the prompt is low-confidence/needs review, but the product naming in the CVE description explicitly identifies Apache OFBiz.

Official resources

Publicly disclosed on 2026-05-19 in the CVE/NVD record and Apache security reference thread. No KEV entry is included in the supplied enrichment.