CVE-2026-63085

Axelor · Axelor Open Platform

Axelor Open Platform versions 8.0.0 through 8.2.1 contain an incorrect authorization vulnerability that allows authenticated users to bypass security controls via nested relational record persistence.

Executive summary

An incorrect authorization vulnerability in the Axelor Open Platform allows an authenticated user to perform unauthorized actions with high impact, necessitating an immediate update.

Vulnerability

This vulnerability involves an authorization bypass caused by improper handling of nested relational record persistence. It requires an attacker to have low-level user privileges to exploit the flaw successfully.

Business impact

The vulnerability carries a CVSS score of 8.8, reflecting its high severity. Successful exploitation could lead to full unauthorized access, data modification, or system integrity loss, potentially resulting in significant operational disruption and data compromise for organizations relying on the platform.

Remediation

Immediate Action: Update the Axelor Open Platform to version 8.2.2 or later to apply the necessary authorization checks.

Proactive Monitoring: Inspect application and server access logs for unusual patterns of record modification or attempts to access administrative functions by standard users.

Compensating Controls: Implement strict Web Application Firewall (WAF) rules to filter suspicious API requests that involve complex or nested relational data structures.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Given the high CVSS score and the nature of the authorization bypass, administrators must prioritize patching this vulnerability. Organizations should verify their current version of the Axelor Open Platform and apply the 8.2.2 update immediately to prevent potential exploitation of their business-critical data.