CVE-2026-63085 in Open Platforminfo

Summary

by MITRE • 07/16/2026

Axelor Open Platform versions 8.x prior to 8.2.2 contains an authorization bypass vulnerability that allows authenticated non-admin users to escalate privileges by exploiting unenforced field restrictions on nested relational save operations. Attackers can modify sensitive User record fields such as roles and group by submitting changes through a related entity's save path, bypassing the USER_RESTRICTED_FIELDS control and causing the JPA persistence layer to flush attacker-supplied admin role and group assignments on commit.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/16/2026

This vulnerability represents a critical authorization bypass flaw in Axelor Open Platform version 8.x prior to 8.2.2 that fundamentally undermines the application's access control mechanisms. The weakness stems from insufficient validation of field-level restrictions during nested relational persistence operations, creating an exploitable gap in the security model that allows authenticated users to escalate their privileges without proper administrative authorization.

The technical implementation of this vulnerability exploits a specific flaw in how the JPA persistence layer handles nested entity modifications. When users attempt to save related entities, the system fails to enforce the USER_RESTRICTED_FIELDS control mechanism that should prevent modification of sensitive user attributes such as roles and group assignments. This occurs because the validation checks are only applied at the immediate entity level rather than being recursively enforced through the entire object graph during save operations.

The operational impact of this vulnerability is severe as it enables attackers to gain administrative privileges without proper authorization. An authenticated non-admin user can manipulate their own user record or that of other users by leveraging related entities in their save operations, effectively bypassing the intended access controls. The persistence layer flushes attacker-supplied values for admin roles and group assignments directly into the database upon commit, making this privilege escalation persistent and immediately effective.

This vulnerability aligns with CWE-285, which addresses improper authorization in software systems, and specifically demonstrates weaknesses in access control enforcement during data persistence operations. From an ATT&CK framework perspective, this represents a privilege escalation technique that leverages application-level flaws to gain elevated system access. The attack vector operates through the legitimate save functionality of the platform, making it particularly difficult to detect and prevent through traditional network-based security measures.

Organizations affected by this vulnerability should immediately implement mitigations including patching to version 8.2.2 or later, implementing additional field-level validation controls, and conducting thorough access control audits. The fix requires enforcing restrictive field validation throughout the entire object graph during nested save operations, ensuring that USER_RESTRICTED_FIELDS restrictions are consistently applied regardless of the entity modification path. Additional defensive measures such as enhanced logging of user privilege changes and implementation of role-based access control monitoring can help detect potential exploitation attempts while the system is being patched.

Responsible

VulnCheck

Reservation

07/15/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!