CVE-2024-38002: Liferay Portal and Liferay DXP Workflow Component Does Not Check User Permissions

October 22, 2024 (updated August 8, 2025)

The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.

References

github.com/advisories/GHSA-3mfq-fp2f-vwqh
github.com/liferay/liferay-portal
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-38002
nvd.nist.gov/vuln/detail/CVE-2024-38002

Code Behaviors & Features

Detect and mitigate CVE-2024-38002 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →