PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-63085 axelor CVE debrief

CVE-2026-63085 is an authorization bypass vulnerability in Axelor Open Platform versions 8.x prior to 8.2.2. Authenticated non-admin users can escalate privileges by exploiting unenforced field restrictions on nested relational save operations. This vulnerability allows attackers to modify sensitive User record fields such as roles and group by submitting changes through a related entity's save path, bypassing the USER_RESTRICTED_FIELDS control.

Vendor
axelor
Product
axelor-open-platform
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of Axelor Open Platform versions 8.x prior to 8.2.2 should apply the patch to prevent privilege escalation attacks. This includes administrators, security teams, and operators who manage or interact with the affected platform.

Technical summary

The vulnerability allows authenticated non-admin users to modify sensitive User record fields such as roles and group by submitting changes through a related entity's save path, bypassing the USER_RESTRICTED_FIELDS control. This causes the JPA persistence layer to flush attacker-supplied admin role and group assignments on commit. The affected product is Axelor Open Platform versions 8.x prior to 8.2.2.

Defensive priority

High

Recommended defensive actions

  • Apply the patch to upgrade Axelor Open Platform to version 8.2.2 or later
  • Restrict access to sensitive User record fields
  • Monitor for suspicious activity on nested relational save operations
  • Review system logs for unusual privilege escalation attempts
  • Verify system configurations to ensure USER_RESTRICTED_FIELDS control is enforced
  • Conduct regular security audits to detect potential exploitation
  • Implement compensating controls for exposed systems while remediation is scheduled and verified

Evidence notes

The CVE record was published on 2026-07-16T17:16:58.420Z and has not been modified since then. The NVD entry is currently Deferred. The vulnerability affects Axelor Open Platform versions 8.x prior to 8.2.2. Evidence of exploitation is not currently available, but defenders should verify system logs for suspicious activity related to nested relational save operations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T17:16:58.420Z and has not been modified since then. The NVD entry is currently Deferred.