CVE-2026-63085

Source
https://cve.org/CVERecord?id=CVE-2026-63085
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-63085.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-63085
Published
2026-07-16T15:56:34.573Z
Modified
2026-07-19T03:31:02.935717809Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Axelor Open Platform 8.x < 8.2.2 Authorization Bypass via Nested Relational Record Persistence
Details

Axelor Open Platform versions 8.x prior to 8.2.2 contains an authorization bypass vulnerability that allows authenticated non-admin users to escalate privileges by exploiting unenforced field restrictions on nested relational save operations. Attackers can modify sensitive User record fields such as roles and group by submitting changes through a related entity's save path, bypassing the USERRESTRICTEDFIELDS control and causing the JPA persistence layer to flush attacker-supplied admin role and group assignments on commit.

Database specific
{
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/63xxx/CVE-2026-63085.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/axelor/axelor-open-platform

Affected ranges

Type
GIT
Repo
https://github.com/axelor/axelor-open-platform
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.2.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.0.4
v8.0.5
v8.1.0
v8.1.1
v8.2.0
v8.2.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-63085.json"