A critical authentication bypass vulnerability in Apache OFBiz allows attackers to hijack forced password-change flows and achieve remote code execution (RCE) via a single HTTP request, affecting all versions before 24.09.06.
- CVE ID: CVE-2026-45434
- CVSS 3.1 Score: 8.8 (High)
- Affected Versions: Apache OFBiz < 24.09.06
- Patched Version: Apache OFBiz 24.09.06
- Disclosed: May 20, 2026 | Researcher: Aretiq AI
Apache OFBiz RCE Flaw
Apache OFBiz is an open-source Enterprise Resource Planning (ERP) platform used for managing business processes.
When an administrator flags a user account with requirePasswordChange=Y, such as after a credential leak or during onboarding, that account should be locked from all functionality until a password reset is completed.
Researchers at Aretiq AI discovered that the LoginWorker.checkLogin() method fails to treat a return value of requirePasswordChange as an authentication failure.
Because the method only checks for the string “error”, a “requirePasswordChange” response from the underlying login() function is silently passed through as a successful login.
Combined with a second flaw, the requirePasswordChange flag being read directly from an attacker-controlled HTTP request parameter instead of the database, an attacker can inject the password-change flow into any protected endpoint in a single POST request.
Chaining these two authentication flaws with a third issue in ProgramExport.groovy, which, in versions before 24.09.06, lacked permission checks and a Groovy sandbox, results in full remote code execution as the OFBiz process user.
The exploit works in three steps:
- Auth bypass via checkLogin(): The method only evaluates “error”.equals(login(request, response)). When login() returns “requirePasswordChange”, the comparison evaluates to false, causing the method to return “success” – granting access without completing a real authentication challenge.
- Client-controlled flag injection: The requirePasswordChange flag is read directly from the HTTP request via request.getParameter(“requirePasswordChange”). An attacker submits the parameter requirePasswordChange=Y along with valid credentials and a chosen new password. This triggers an inline password change via the updatePassword service and establishes a fully authenticated session – all within a single request.
- Unsandboxed Groovy execution via ProgramExport: In vulnerable versions, ProgramExport.groovy evaluates user-supplied Groovy code using a plain GroovyShell with no permission verification, no SecureASTCustomizer, and no dangerous-pattern blocklist. This grants the attacker full JVM access, including OS command execution via Runtime.getRuntime().exec().
In testing on OFBiz 24.09.05, a single crafted POST request to /webtools/control/ProgramExport resulted in RCE with uid=0(root).
Apache OFBiz ships with over ten demo accounts, including admin, flexadmin, demoadmin, and ltdadmin, all using the default password ofbiz.
This means that development, staging, and recently deployed production instances are trivially exploitable with no prior reconnaissance. The vulnerability is also notable for its similarity to CVE-2023-51467, a related requirePasswordChange logic flaw scored 9.8 by MITRE/NVD.
Affected Products
Apache OFBiz All versions < 24.09.06 (includes entire 18.12.x branch and 24.09.x through 24.09.05) cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
Apache addressed the vulnerability in version 24.09.06 via three commits:
- Commit 6516157 – Removes the client-controlled requirePasswordChange HTTP parameter entirely; all previous “requirePasswordChange” return paths in login() now return “error”; the flag is now read exclusively from the database user record.
- Commit 771efc4 – Adds an ENTITY_MAINT permission check to ProgramExport.groovy, blocking unauthenticated or low-privilege access.
- Commit c0592a3 – Introduces a strict Groovy sandbox to ProgramExport.groovy using SecureASTCustomizer, an import allowlist limited to nine OFBiz entity classes, a receiver allowlist, and a 40+ pattern regex blocklist blocking Runtime, ProcessBuilder, .execute(), and similar dangerous calls.
Detection & Mitigation
Network Detection (Suricata): Monitor for HTTP POST requests to /webtools/control/ProgramExport containing both requirePasswordChange=Y and groovyProgram in the request body. This combination does not appear in legitimate OFBiz usage.
Host-Based Detection (YARA): Scan LoginWorker.java for the pattern request.getParameter(“requirePasswordChange”) (vulnerable) versus userLogin.getString(“requirePasswordChange”) (patched). Scan ProgramExport.groovy for the presence or absence of SecureASTCustomizer and ENTITY_MAINT.
Immediate Mitigation Steps:
- Upgrade to Apache OFBiz 24.09.06 immediately.
- Remove or deactivate all demo accounts (admin, flexadmin, demoadmin, etc.) or change default passwords before exposing any OFBiz instance to the network.
- Restrict access to /webtools/control/ProgramExport at the WAF or reverse proxy layer.
- Audit all user accounts for the requirePasswordChange=Y flag and validate they are being enforced correctly post-upgrade
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
