{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openam-auth-webauthn--16.0.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenAM Community Edition \u003c= 16.0.6","openam-auth-webauthn \u003c= 16.0.6"],"_cs_severities":["critical"],"_cs_tags":["deserialization","RCE","OpenAM","WebAuthn","CVE","application-exploitation"],"_cs_type":"advisory","_cs_vendors":["Open Identity Platform"],"content_html":"\u003cp\u003eA critical security vulnerability, CVE-2026-45051, has been disclosed in OpenAM Community Edition affecting versions up to 16.0.6. The flaw resides in the WebAuthn authentication module, specifically within the \u003ccode\u003eopenam-auth-webauthn\u003c/code\u003e component, and is categorized as a deserialization of untrusted data (CWE-502). This vulnerability can lead to pre-authentication arbitrary code execution (RCE) in the context of the application server. Exploitation requires a specific pre-condition: an attacker must first be able to write attacker-controlled serialized Java objects to a user's storage attribute that is subsequently read by the WebAuthn module. While this is not the default configuration, it is feasible in deployments where the storage attribute is made user-writable through misconfiguration or other vulnerabilities. The vulnerability has been addressed in OpenAM Community Edition version 16.1.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise/Pre-condition fulfillment\u003c/strong\u003e: An attacker gains the ability to write arbitrary data to an OpenAM user's storage attribute. This could occur through various means such as abusing delegated administration privileges, gaining write access to the backing LDAP/directory user record, exploiting a separate vulnerability like legacy REST self-registration, or due to an unsafe reconfiguration of the \u003ccode\u003euserAttribute\u003c/code\u003e to an attacker-writable string attribute.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Injection\u003c/strong\u003e: The attacker crafts a malicious serialized Java object (gadget payload) specifically designed for arbitrary code execution on the application server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Modification\u003c/strong\u003e: The attacker leverages their acquired write access to modify a target user's storage attribute within OpenAM, embedding the crafted serialized Java object as the attribute's value.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Flow Initiation\u003c/strong\u003e: The attacker initiates a WebAuthn authentication flow, either by attempting to authenticate as the modified user or by triggering any process within OpenAM that involves the retrieval and processing of the modified user's WebAuthn-related data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Deserialization\u003c/strong\u003e: OpenAM's WebAuthn module, while processing the authentication flow, attempts to deserialize the content of the compromised storage attribute, which now contains the attacker's malicious serialized Java object.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution\u003c/strong\u003e: During the deserialization process, the malicious Java gadget payload embedded within the storage attribute is executed by the underlying Java Virtual Machine on the OpenAM application server, resulting in arbitrary code execution with the privileges of the application server user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successfully exploited, CVE-2026-45051 grants an attacker arbitrary code execution on the OpenAM application server. This means an attacker could completely compromise the identity management system, gaining control over user accounts, accessing sensitive information, manipulating authentication processes, or establishing persistent access within the targeted organization's network. While the vulnerability requires a pre-condition where a storage attribute becomes user-writable (which is not the default), the product allows administrators to configure this attribute freely without warnings or enforcement, making such misconfigurations feasible in real-world deployments. The impact extends to all data and systems relying on the compromised OpenAM instance for authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update OpenAM Community Edition to version 16.1.1 or later to patch CVE-2026-45051.\u003c/li\u003e\n\u003cli\u003eReview OpenAM configurations to ensure that the WebAuthn user storage attribute is not set to an attacker-writable string attribute and is managed only by server-side processes.\u003c/li\u003e\n\u003cli\u003eScrutinize all administrative access and delegated administration privileges to prevent unauthorized modification of user attributes.\u003c/li\u003e\n\u003cli\u003eImplement rigorous logging and monitoring for attempts to modify user attributes, especially those related to WebAuthn, within OpenAM and its backing directories (e.g., LDAP).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:48:07Z","date_published":"2026-07-03T10:48:07Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openam-rce/","summary":"A critical deserialization of untrusted data vulnerability, identified as CVE-2026-45051, in OpenAM's WebAuthn authentication module (openam-auth-webauthn) allows for pre-authentication arbitrary code execution (RCE) on the application server if an attacker can first write controlled data to a user's storage attribute, impacting OpenAM Community Edition through version 16.0.6.","title":"OpenAM Pre-Auth RCE via WebAuthn Java Deserialization (CVE-2026-45051)","url":"https://feed.craftedsignal.io/briefs/2026-07-openam-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Openam-Auth-Webauthn \u003c= 16.0.6","version":"https://jsonfeed.org/version/1.1"}