Skip to content
Threat Feed
critical advisory

OpenAM Pre-Authentication Reflected XSS via OAuth2/OIDC state parameter (CVE-2026-44203)

A critical pre-authentication reflected Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-44203, in OpenIdentityPlatform OpenAM's `openam-oauth2` component allows an unauthenticated attacker to inject malicious scripts into a victim's browser context by manipulating the `state` parameter in OAuth2/OIDC `form_post` responses, leading to session hijacking or credential theft.

OpenIdentityPlatform OpenAM, a popular access management solution, is affected by a critical pre-authentication reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-44203. The vulnerability resides in the openam-oauth2 component, specifically within the OAuth 2.0 / OpenID Connect authorization endpoint when utilizing the form_post response mode. Insufficient sanitization of user-supplied parameters, notably the state parameter, before their inclusion in the HTML response (generated by FormPostResponse.ftl) allows attackers to inject arbitrary client-side script. This flaw impacts OpenAM versions from 13.0.0 up to, but not including, 16.1.1. Defenders must prioritize patching to prevent attackers from exploiting this vulnerability to execute malicious code within the victim's browser in the context of the OpenAM origin, potentially leading to session compromise or credential theft.

Attack Chain

  1. Attacker identifies a vulnerable OpenAM instance exposed to the internet.
  2. Attacker crafts a malicious URL targeting the OpenAM OAuth2/OIDC authorization endpoint, embedding an XSS payload (e.g., <script>alert(document.domain)</script>) within the state parameter. The URL also specifies response_mode=form_post.
  3. Attacker distributes this crafted URL to a potential victim, typically via a phishing email, malicious web link, or social engineering.
  4. Victim clicks the malicious URL, sending a request to the vulnerable OpenAM server that includes the attacker-controlled state parameter.
  5. OpenAM, processing the request for the form_post response mode, fails to adequately sanitize the state parameter due to CVE-2026-44203 and embeds the malicious script directly into the HTML response (FormPostResponse.ftl).
  6. The victim's web browser receives the crafted HTML response and, treating it as legitimate content from the OpenAM domain, executes the embedded malicious JavaScript.
  7. The executed XSS payload performs actions such as stealing the victim's session cookies, attempting to harvest credentials, or performing arbitrary actions on behalf of the user within the OpenAM application.
  8. Attacker leverages the stolen information or actions to gain unauthorized access or control within the victim's OpenAM session.

Impact

A successful exploitation of CVE-2026-44203 grants an attacker the ability to execute arbitrary client-side script within the victim's browser, operating under the security context of the OpenAM domain. This can lead to severe consequences including session hijacking, credential theft, defacement of the legitimate OpenAM interface, or redirection to malicious sites. The critical CVSS score of 9.3 underscores the potential for significant compromise due to the vulnerability being pre-authentication and having high impacts on confidentiality and integrity. Although specific victim counts are not available, all organizations running vulnerable OpenAM versions are at risk.

Recommendation

  • Patch CVE-2026-44203 immediately by upgrading maven/org.openidentityplatform.openam:openam-oauth2 to version 16.1.1 or higher.
  • Deploy the Detect CVE-2026-44203 Exploitation - OpenAM Reflected XSS Sigma rule to your SIEM for early detection of exploitation attempts.
  • Configure web server or WAF logging to capture full HTTP request details, especially cs-uri-query parameters, for all traffic directed at OpenAM endpoints.
  • Monitor web server access logs for requests to /oauth2/realms/*/authorize containing response_mode=form_post and suspicious, script-like content in the state parameter as identified by the Sigma rule.

Detection coverage 1

Detect CVE-2026-44203 Exploitation - OpenAM Reflected XSS

high

Detects CVE-2026-44203 exploitation - HTTP requests to OpenAM's OAuth2/OIDC authorization endpoint with 'response_mode=form_post' and suspicious characters in the 'state' parameter indicative of reflected XSS attempts.

sigma tactics: execution, initial_access techniques: T1059.004, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →