CVE-2026-63085
Deferred Deferred - Pending Action

Privilege Escalation in Axelor Open Platform

Vulnerability report for CVE-2026-63085, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: VulnCheck

Description

Axelor Open Platform versions 8.x prior to 8.2.2 contains an authorization bypass vulnerability that allows authenticated non-admin users to escalate privileges by exploiting unenforced field restrictions on nested relational save operations. Attackers can modify sensitive User record fields such as roles and group by submitting changes through a related entity's save path, bypassing the USER_RESTRICTED_FIELDS control and causing the JPA persistence layer to flush attacker-supplied admin role and group assignments on commit.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
axelor open_platform 8.2.2
axelor open_platform to 8.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-63085 is an authorization bypass vulnerability in Axelor Open Platform versions 8.x before 8.2.2. It allows authenticated non-admin users to escalate privileges by exploiting unenforced field restrictions during nested relational save operations. Attackers can modify sensitive User record fields like roles and groups through a related entity's save path, bypassing the USER_RESTRICTED_FIELDS control. The JPA persistence layer then applies these admin role assignments upon commit.

Detection Guidance

To detect this vulnerability, monitor for unauthorized privilege escalations in User records. Check for non-admin users modifying roles or groups via nested relational saves. Review application logs for suspicious save operations on related entities like Team.members that include User field changes. Look for unexpected admin role assignments or group modifications in User records.

Impact Analysis

This vulnerability allows non-admin users to gain admin-level access by modifying User records through indirect paths. Attackers could assign themselves or others admin roles and groups, potentially taking full control of the system. This could lead to unauthorized data access, system manipulation, or complete compromise of the Axelor Open Platform instance.

Compliance Impact

This vulnerability could severely impact compliance with GDPR and HIPAA by enabling unauthorized access to sensitive data. GDPR requires strict access controls and data protection measures, while HIPAA mandates role-based access controls for protected health information. A privilege escalation flaw like this could result in unauthorized data exposure, violating these regulations and potentially leading to legal penalties and reputational damage.

Mitigation Strategies

Immediately upgrade to Axelor Open Platform version 8.2.2 or later to patch the vulnerability. Review and restrict write permissions on User records for non-admin users. Audit User records for unauthorized privilege changes and revert any suspicious admin role assignments. Monitor for unusual nested relational save operations involving User fields.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63085. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart