Apache OFBiz Hard-Coded Key CVE-2026-31986 (pre-24.09.06)
CVE-2026-31986 Published on May 19, 2026

Apache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template Injection
Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Vendor Advisory NVD

Weakness Type

Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

Products Associated with CVE-2026-31986

Want to know whenever a new CVE is published for Apache OFBiz? stack.watch will email you.

Apache OFBiz

Affected Versions

Apache Software Foundation Apache OFBiz:

Before 24.09.06 is affected.

Apache OFBiz Hard-Coded Key CVE-2026-31986 (pre-24.09.06)CVE-2026-31986 Published on May 19, 2026

Weakness Type

Use of Hard-coded Cryptographic Key

Products Associated with CVE-2026-31986

Affected Versions

Apache OFBiz Hard-Coded Key CVE-2026-31986 (pre-24.09.06)
CVE-2026-31986 Published on May 19, 2026