CVE-2026-31986

9.1 CRITICAL

Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz

Published: 2026-05-19 · Last updated: 2026-05-19

Severity and scoring

CVSS: 9.1 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-321

Affected products

Vendor	Product
apache	ofbiz

Description

Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-31986
[Vendor advisory]https://lists.apache.org/thread/2hl9xoqm8tq8b22x6vnmtp7tg3opcqgc
[Other]http://www.openwall.com/lists/oss-security/2026/05/19/25

Related CVEs

Same vendor

CVE-2026-25700 — Improper Restriction of Security Token Assignment vulnerability in Apache Answer (7.2 HIGH)
CVE-2026-34905 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-34033 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer (5.4 MEDIUM)
CVE-2026-34031 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-33582 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)

Same CWE

CVE-2026-11505 — A flaw has been found in GL.iNet A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000 and XE3000 4.8.x (5.0 MEDIUM)
CVE-2026-46395 — HAX CMS helps manage microsite universe with PHP or NodeJs backends
CVE-2026-11347 — The linqi application contains hardcoded cryptographic keys
CVE-2026-45433 — This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware
CVE-2026-50226 — Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers (5.3 MEDIUM)