FHN 
An Apache OFBiz vulnerability tracked as CVE-2026-45434 could allow attackers to bypass authentication protections and execute malicious code on vulnerable servers through a crafted HTTP request. The flaw, tracked as CVE-2026-45434, affects all Apache OFBiz versions before 24.09.06 and carries a high CVSS score of 8.8.
Apache OFBiz is a widely used open-source ERP platform used to manage enterprise business operations and workflows. Researchers from Aretiq AI discovered that attackers could abuse the platform’s password-change mechanism to gain unauthorized access and execute malicious code on vulnerable servers.
Authentication Bypass Through Password Reset Logic
The issue originates from the way Apache OFBiz handles forced password-change workflows. Normally, accounts marked with requirePasswordChange=Y should remain restricted until the password reset process is completed.
However, researchers found that the LoginWorker.checkLogin() method incorrectly treats the requirePasswordChange response as a successful login instead of an authentication failure.
The vulnerability becomes more dangerous because the requirePasswordChange value is read directly from user-controlled HTTP request parameters rather than securely validated against database records.
By abusing this behavior, attackers can:
- Inject password-change parameters into a crafted HTTP request
- Create an authenticated session without completing a proper login process
Researchers also warned that many OFBiz deployments still contain default demo accounts such as admin, flexadmin, and demoadmin, often configured with default credentials like ofbiz.
Remote Code Execution and Security Fixes
The authentication bypass can be chained with another vulnerability affecting ProgramExport.groovy. In vulnerable versions, the component allows execution of user-supplied Groovy code without proper sandboxing or permission checks.
This allows attackers to execute arbitrary system commands directly on the server. Researchers successfully demonstrated remote code execution on OFBiz 24.09.05 using a single crafted POST request targeting /webtools/control/ProgramExport.
Successful exploitation could allow attackers to:
- Execute malicious commands on the server
- Deploy malware or backdoors
Apache fixed the issue in version 24.09.06 by removing unsafe password-change handling, adding stricter permission checks, and introducing a secure Groovy sandbox to block dangerous command execution patterns.
Organizations are strongly advised to upgrade immediately, remove default demo accounts, change weak credentials, and restrict access to sensitive OFBiz administrative endpoints.
About the Author
