Apache OFBiz: auth bypass to RCE, default password still ships

CVE-2026-45434 is a CVSS 9.8 authentication bypass in Apache OFBiz that chains directly to remote code execution. Disclosed May 19-20, fixed in OFBiz 24.09.06. If you run any version before that, assume internet-facing instances are at risk.

The logic flaw is in LoginWorker.checkLogin(). When the internal login() method returns "requirePasswordChange" instead of "error", the check "error".equals(...) evaluates to false -- and the method returns "success" without any credentials having been validated. An attacker triggers this code path to walk through authentication without a password.

Once authenticated, the chain continues to ProgramExport.groovy. That endpoint lacks permission checks and runs user-supplied code in an unsandboxed GroovyShell. The result is arbitrary code execution as the OFBiz process user. One POST request is enough.

The default password problem

OFBiz ships with more than ten demo accounts -- admin, flexadmin, demoadmin, and others -- all using the default password ofbiz. The auth bypass above does not even require a valid account, but any installation that kept the default credentials is exploitable by a different, simpler path that requires no vulnerability at all.

Demo and staging environments are the highest-risk targets. They are frequently left running with default credentials and exposed to the internet or internal networks without the same scrutiny as production.

OFBiz has a track record here

CVE-2023-51467 followed the same pattern: an authentication bypass in OFBiz that was exploited at scale within days of disclosure. Proof-of-concept code for that CVE appeared within 48 hours. Treat the timeline for CVE-2026-45434 as equivalent until evidence shows otherwise.

Update path

Upgrade to Apache OFBiz 24.09.06.

# Check current version
grep -r "ofbiz.version" framework/common/config/

After upgrading:

1. Change or disable all default demo accounts immediately
2. Verify ProgramExport access is restricted if you cannot upgrade right now
3. Check that no internet-facing endpoint exposes the Groovy execution path

If an immediate upgrade is not possible, block access to ProgramExport.groovy at the network level as a temporary measure. This addresses the RCE escalation but not the auth bypass itself.

For a comparison of how auth bypass chains to code execution in other ecosystems, see CVE-2026-7482: Ollama RCE via unauthenticated API.

Sources: GBHackers technical analysis; NVD CVE-2026-45434; oss-security May 2026