https://aretiq.ai/tags/ofbiz/Recent content in Ofbiz on Aretiq AIHugoen-usWed, 20 May 2026 00:00:00 +0000https://aretiq.ai/research/vul260520-cve-2026-45434-apache-ofbiz-loginworker-checklogin-password-change-flow-authentication-bypass-rce/Wed, 20 May 2026 00:00:00 +0000https://aretiq.ai/research/vul260520-cve-2026-45434-apache-ofbiz-loginworker-checklogin-password-change-flow-authentication-bypass-rce/<h2 id="1-overview">1. Overview</h2> <p>A vulnerability exists in Apache OFBiz&rsquo;s login authentication workflow that allows an attacker to bypass a forced password-change restriction and achieve remote code execution. When an administrator sets the <code>requirePasswordChange</code> flag on a user account — for example after a credential leak, during new employee onboarding, or as a default on demo accounts — the account is supposed to be locked out of all functionality until the user changes their password through the dedicated ChangePassword form. However, <code>LoginWorker.checkLogin()</code> fails to recognize <code>&quot;requirePasswordChange&quot;</code> as an authentication failure, treating it identically to a successful login. An attacker who knows the current password of a locked account can bypass the restriction by injecting <code>requirePasswordChange=Y</code> as an HTTP request parameter along with a new password, causing the login and password change to execute inline and granting immediate access to the requested endpoint. Combined with ProgramExport.groovy lacking permission checks and a Groovy sandbox in versions prior to 24.09.06, this enables arbitrary OS command execution in a single HTTP request. Apache addressed this vulnerability in version 24.09.06.</p>