๐Ÿ” CVE Alert

CVE-2026-63085

HIGH 8.8

Axelor Open Platform 8.x < 8.2.2 Authorization Bypass via Nested Relational Record Persistence

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

Axelor Open Platform versions 8.x prior to 8.2.2 contains an authorization bypass vulnerability that allows authenticated non-admin users to escalate privileges by exploiting unenforced field restrictions on nested relational save operations. Attackers can modify sensitive User record fields such as roles and group by submitting changes through a related entity's save path, bypassing the USER_RESTRICTED_FIELDS control and causing the JPA persistence layer to flush attacker-supplied admin role and group assignments on commit.

CWE CWE-863
Vendor axelor
Product axelor-open-platform
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for axelor axelor-open-platform

Be the first to know when new high vulnerabilities affecting axelor axelor-open-platform are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

axelor / axelor-open-platform
8.0.0 < 8.2.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/geo-chen/oss/blob/main/axelor-open-platform.md github.com: https://github.com/axelor/axelor-open-platform/releases/tag/v8.2.2 vulncheck.com: https://www.vulncheck.com/advisories/axelor-open-platform-8-x-authorization-bypass-via-nested-relational-record-persistence

Credits

George Chen