CVE-2026-46586

HIGH

Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-46586. PoCs published by lwd3c.

AI-analyzed exploit summary The repository contains a functional exploit PoC for CVE-2026-46586, an authenticated RCE vulnerability in Apache OFBiz. The exploit leverages improper validation in the `traverseContent` service to execute arbitrary Groovy code via the `pickWhen` parameter, leading to command execution on the server.

Description

Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Exploits (1)

github WORKING POC
by lwd3c · shellpoc
https://github.com/lwd3c/CVE-2026-46586

The repository contains a functional exploit PoC for CVE-2026-46586, an authenticated RCE vulnerability in Apache OFBiz. The exploit leverages improper validation in the `traverseContent` service to execute arbitrary Groovy code via the `pickWhen` parameter, leading to command execution on the server.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache OFBiz (tested on trunk revision def2d13bb14a4a74fcac7f6e38a83fec7c32fc54)
Auth required
Prerequisites: Authenticated user with SERVICE_MAINT permission · Access to the OFBiz web interface
mistral-large-3 · analyzed May 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0055
EPSS Percentile 42.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-94 CWE-95
Status published
Products (2)
apache/ofbiz < 24.09.06
Apache Software Foundation/Apache OFBiz < 24.09.06
Published May 19, 2026
Tracked Since May 19, 2026