{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/jmx-rmi/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenDJ Community Edition \u003c= 5.1.0","opendj-server-legacy \u003c= 5.1.0"],"_cs_severities":["critical"],"_cs_tags":["java","deserialization","rce","opendj","jmx-rmi","pre-auth","network"],"_cs_type":"advisory","_cs_vendors":["Open Identity Platform"],"content_html":"\u003cp\u003eA critical pre-authentication remote code execution (RCE) vulnerability, identified as CVE-2026-46495, impacts OpenDJ Community Edition versions up to 5.1.0. This flaw stems from a deserialization of untrusted data (CWE-502) within OpenDJ's JMX RMI connector, which allows an unauthenticated remote attacker to deserialize arbitrary Java objects on the server. The vulnerability exists because the platform processes attacker-controlled bytes prior to any authentication. While the JMX Connection Handler is disabled by default, it is frequently enabled in production environments for monitoring purposes, significantly expanding the attack surface. Exploitation requires direct TCP reachability to the configured JMX listener and does not necessitate prior authentication, specific privileges, or client certificates. Successful exploitation can lead to complete system compromise, with the specific impact depending on the server's runtime classpath and Java version. This issue was patched in OpenDJ Community Edition version 5.1.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker identifies an internet-accessible OpenDJ server with the JMX Connection Handler enabled, listening for JMX RMI connections.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious serialized Java object payload designed to execute arbitrary commands upon deserialization.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a connection to the OpenDJ JMX RMI listener.\u003c/li\u003e\n\u003cli\u003eThe attacker transmits the crafted malicious serialized Java object payload over the JMX RMI connection.\u003c/li\u003e\n\u003cli\u003eThe OpenDJ server, due to the deserialization of untrusted data vulnerability (CVE-2026-46495), processes and deserializes the attacker-controlled bytes before any authentication takes place.\u003c/li\u003e\n\u003cli\u003eDuring deserialization, the malicious Java object triggers arbitrary code execution on the underlying operating system within the context of the OpenDJ server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthenticated Remote Code Execution (RCE) on the server, potentially leading to full system compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis critical vulnerability impacts all OpenDJ Community Edition releases up to 5.1.0 where the JMX Connection Handler is enabled, a common practice for monitoring integrations. Successful exploitation requires TCP reachability to the JMX listener and grants unauthenticated Remote Code Execution (RCE), allowing attackers to run arbitrary code on the server. The severity of the RCE and potential for system compromise depends on the server's runtime classpath and Java version. For example, unauthenticated RCE was specifically demonstrated on OpenDJ 4.4.15 running JDK 11 with Jackson 2.12.6.1, indicating a high potential for severe consequences including data breach, system disruption, or further network lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching all affected OpenDJ Community Edition instances to version 5.1.1 or higher immediately to remediate CVE-2026-46495.\u003c/li\u003e\n\u003cli\u003eReview network firewall rules to ensure that the OpenDJ JMX RMI connector port (default 1099, though configurable) is not exposed to untrusted networks or the internet unless absolutely necessary.\u003c/li\u003e\n\u003cli\u003eDisable the JMX Connection Handler if it is not explicitly required for monitoring integrations, as it is disabled by default in OpenDJ.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:03:19Z","date_published":"2026-07-03T11:03:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-opendj-pre-auth-rce/","summary":"A critical pre-authentication remote code execution (RCE) vulnerability, CVE-2026-46495, exists in OpenDJ Community Edition affecting versions up to 5.1.0, where a deserialization of untrusted data issue in the JMX RMI connector allows unauthenticated attackers with TCP reachability to the JMX listener to execute arbitrary Java objects, potentially leading to full system compromise.","title":"OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI (CVE-2026-46495)","url":"https://feed.craftedsignal.io/briefs/2026-07-opendj-pre-auth-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Jmx-Rmi","version":"https://jsonfeed.org/version/1.1"}