Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-31387— Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation

AI Predicted 7.5 Difficulty: Moderate EPSS 0.02% · P6

Possible ATT&CK Techniques 1AI

T1078 · Valid Accounts
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-31387

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache OFBiz 0 ~ 24.09.06 -

II. Public POCs for CVE-2026-31387

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-31387

登录查看更多情报信息。

Same Patch Batch · Apache Software Foundation · 2026-05-19 · 20 CVEs total

CVE-2026-31910Apache OFBiz: Improper Input Validation in UI Factory Classes Leads to SSRF and Blind File
CVE-2026-29220Apache OFBiz: Low-Privilege LFI in Content Component
CVE-2026-29207Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component
CVE-2026-29226Apache OFBiz: Low-Privilege SSRF in Content Component
CVE-2026-31378Apache OFBiz: JSON Attribute Override and URL Allowlist Bypass Leads to Remote Code Execut
CVE-2026-31379Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File W
CVE-2026-31380Apache OFBiz: FreeMarker SSTI via Duplicate Parameter Sanitization Bypass
CVE-2026-31388Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature
CVE-2026-31906Apache OFBiz: Reflected XSS via Improper HTML Attribute Escaping in Layered-Modal Dialog P
CVE-2026-31909Apache OFBiz: Unauthenticated Shipment Label Image Disclosure
CVE-2026-27173Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-
CVE-2026-31986Apache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template Injectio
CVE-2026-35086Apache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email s
CVE-2026-41919Apache OFBiz: Authentication Bypass due to Improper Neutralization of LDAP Special Element
CVE-2026-45187Apache OFBiz: Improper Authorization in Scheduled Job Creation Allows Low-Privileged Users
CVE-2026-45434Apache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCE
CVE-2026-46586Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy
CVE-2026-47323Apache Camel: Camel-CXF Message Header Injection via Missing Inbound Filtering
CVE-2026-42526Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS

IV. Related Vulnerabilities

Same product: Apache OFBiz
Same vendor: Apache Software Foundation
Same weakness: CWE-287

V. Comments for CVE-2026-31387

No comments yet

Leave a comment