CVE-2021-26295: Apache OFBiz SOAP Java Deserialization

Exploitation Summary

CVE-2021-26295 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including yumusb, yuaneuro, rakjong, including a Metasploit module exploits/linux/http/apache_ofbiz_deserialization_soap. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2021-26295, a deserialization vulnerability in Apache OFBiz. The PoC uses ysoserial to generate payloads and includes both a detection script (poc.py) and an exploitation script (exp.py) for command execution.

Description

Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

Exploits (6)

nomisec WORKING POC 23 stars

by yumusb · remote-auth

https://github.com/yumusb/CVE-2021-26295

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2021-26295, a deserialization vulnerability in Apache OFBiz. The PoC uses ysoserial to generate payloads and includes both a detection script (poc.py) and an exploitation script (exp.py) for command execution.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz

No auth needed

Prerequisites: ysoserial.jar · target URL · DNSlog service for detection

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 6 stars

by yuaneuro · poc

https://github.com/yuaneuro/ofbiz-poc

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2021-26295, a deserialization vulnerability in Apache OFBiz. The PoC leverages ysoserial to generate malicious payloads and uses DNS logging for verification, demonstrating remote code execution capabilities.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz

No auth needed

Prerequisites: Access to ysoserial.jar · Network access to target OFBiz instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 4 stars

by rakjong · remote-auth

https://github.com/rakjong/CVE-2021-26295-Apache-OFBiz

View Code ZIP pw:eip

This PoC exploits CVE-2021-26295, a deserialization vulnerability in Apache OFBiz, by sending a crafted SOAP request containing a serialized payload generated via ysoserial.jar. The payload triggers a DNS lookup to a specified dnslog, confirming successful exploitation.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz

No auth needed

Prerequisites: ysoserial.jar in the same directory · Java environment (not high version) · Target host and DNS log domain

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SUSPICIOUS

by coolyin001 · poc

https://github.com/coolyin001/CVE-2021-26295--

View Code ZIP pw:eip

The repository claims to provide a PoC for CVE-2021-26295 but lacks actual exploit code, instead directing users to external resources or vague instructions. The README is minimal and does not include technical details about the vulnerability.

Classification

Suspicious 80%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: Apache OFBiz (versions affected by CVE-2021-26295)

No auth needed

Prerequisites: JDK environment < 12 · ysoserial for payload generation

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by dskho · poc

https://github.com/dskho/CVE-2021-26295

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-26295, an Apache OFBiz deserialization vulnerability. The exploit uses ysoserial to generate a malicious payload and sends it via a SOAP request to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz

No auth needed

Prerequisites: ysoserial.jar · VPS with JRMPListener and netcat · Target URL with vulnerable SOAP endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by yumusb, Spencer McIntyre, wvu · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_ofbiz_deserialization_soap.rb

View Code ZIP pw:eip

This Metasploit module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated SOAP endpoint for versions prior to 17.12.06. It leverages the ROME library to execute arbitrary commands via a crafted serialized object.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz < 17.12.06

No auth needed

Prerequisites: Network access to the target's SOAP endpoint · Target running a vulnerable version of Apache OFBiz

MITRE ATT&CK