{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/axelor-open-platform--8.2.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-63085"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Axelor Open Platform (\u003c 8.2.2)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","vulnerability","authorization-bypass"],"_cs_type":"advisory","_cs_vendors":["Axelor"],"content_html":"\u003cp\u003eAxelor Open Platform versions 8.x, specifically those prior to 8.2.2, are affected by an authorization bypass vulnerability identified as CVE-2026-63085. This critical flaw allows an authenticated non-administrative user to achieve privilege escalation. The vulnerability stems from unenforced field restrictions during nested relational save operations. By leveraging a related entity's save path, attackers can modify sensitive user record fields, such as assigned roles and groups, effectively bypassing the \u003ccode\u003eUSER_RESTRICTED_FIELDS\u003c/code\u003e control. The Java Persistence API (JPA) layer then commits these attacker-supplied administrative role and group assignments. This critical vulnerability, with a CVSS v3.1 Base Score of 8.8, poses a significant risk as it enables unauthorized users to gain full administrative control over the platform, leading to potential data manipulation, system compromise, or further attacks. Defenders must prioritize patching to prevent unauthorized privilege escalation within their Axelor deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user with non-admin privileges successfully logs into the Axelor Open Platform.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a specific related entity's save path that is vulnerable to unenforced field restrictions during nested relational save operations.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to modify their own user record's sensitive fields, such as \u003ccode\u003eroles\u003c/code\u003e or \u003ccode\u003egroups\u003c/code\u003e, by including administrative assignments.\u003c/li\u003e\n\u003cli\u003eThe crafted request is submitted through the identified vulnerable related entity's save path.\u003c/li\u003e\n\u003cli\u003eDue to the authorization bypass, the platform's \u003ccode\u003eUSER_RESTRICTED_FIELDS\u003c/code\u003e control is not enforced for this specific nested relational save operation.\u003c/li\u003e\n\u003cli\u003eThe Java Persistence API (JPA) persistence layer processes the request and flushes the attacker-supplied administrative role and group assignments on commit.\u003c/li\u003e\n\u003cli\u003eThe attacker's user account is successfully granted administrative privileges within the Axelor Open Platform.\u003c/li\u003e\n\u003cli\u003eThe attacker now has full administrative control over the platform, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-63085 grants an authenticated non-administrative user full administrative privileges within the Axelor Open Platform. This can lead to a complete compromise of the system, allowing the attacker to access, modify, or delete any data, disrupt business operations, install malicious software, or establish persistent access. Organizations using affected versions face severe risks, including data breaches, operational downtime, and reputational damage. The lack of proper authorization enforcement means that a standard user can elevate themselves to the highest level of control, bypassing all security controls designed to segregate duties, potentially leading to unauthorized data exposure or manipulation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-63085\u003c/strong\u003e: Immediately upgrade all Axelor Open Platform installations to version 8.2.2 or newer to mitigate the authorization bypass vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor application logs\u003c/strong\u003e: Implement detailed logging and review Axelor application logs for unusual changes to user roles or group assignments, especially those initiated by non-administrative accounts, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement strong access controls\u003c/strong\u003e: Regularly audit user permissions and ensure the principle of least privilege is strictly enforced for all users within the Axelor Open Platform.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T17:20:39Z","date_published":"2026-07-16T17:20:39Z","id":"https://feed.craftedsignal.io/briefs/2026-07-axelor-privilege-escalation/","summary":"An authorization bypass vulnerability, CVE-2026-63085, in Axelor Open Platform versions 8.x prior to 8.2.2 allows authenticated non-admin users to exploit unenforced field restrictions during nested relational save operations to modify sensitive user record fields like roles and groups, thereby escalating privileges to administrative levels.","title":"Authorization Bypass in Axelor Open Platform (CVE-2026-63085)","url":"https://feed.craftedsignal.io/briefs/2026-07-axelor-privilege-escalation/"}],"language":"en","title":"CraftedSignal Threat Feed - Axelor Open Platform (\u003c 8.2.2)","version":"https://jsonfeed.org/version/1.1"}