Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-31986— Apache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template Injection

AI Predicted 5.3 Difficulty: Moderate

Possible ATT&CK Techniques 1AI

T1552 · Unsecured Credentials
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-31986

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template Injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用硬编码的密码学密钥
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache OFBiz 0 ~ 24.09.06 -

II. Public POCs for CVE-2026-31986

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-31986

登录查看更多情报信息。

Same Patch Batch · Apache Software Foundation · 2026-05-19 · 18 CVEs total

CVE-2026-31906Apache OFBiz: Reflected XSS via Improper HTML Attribute Escaping in Layered-Modal Dialog P
CVE-2026-29220Apache OFBiz: Low-Privilege LFI in Content Component
CVE-2026-29207Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component
CVE-2026-29226Apache OFBiz: Low-Privilege SSRF in Content Component
CVE-2026-31378Apache OFBiz: JSON Attribute Override and URL Allowlist Bypass Leads to Remote Code Execut
CVE-2026-31379Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File W
CVE-2026-31380Apache OFBiz: FreeMarker SSTI via Duplicate Parameter Sanitization Bypass
CVE-2026-31387Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonati
CVE-2026-31388Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature
CVE-2026-47323Apache Camel: Camel-CXF Message Header Injection via Missing Inbound Filtering
CVE-2026-31909Apache OFBiz: Unauthenticated Shipment Label Image Disclosure
CVE-2026-31910Apache OFBiz: Improper Input Validation in UI Factory Classes Leads to SSRF and Blind File
CVE-2026-35086Apache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email s
CVE-2026-41919Apache OFBiz: Authentication Bypass due to Improper Neutralization of LDAP Special Element
CVE-2026-45187Apache OFBiz: Improper Authorization in Scheduled Job Creation Allows Low-Privileged Users
CVE-2026-45434Apache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCE
CVE-2026-46586Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy

IV. Related Vulnerabilities

Same product: Apache OFBiz
Same vendor: Apache Software Foundation
Same weakness: CWE-321

V. Comments for CVE-2026-31986

No comments yet

Leave a comment