Skip to content
Threat Feed

Tag

Openam

3 briefs RSS
critical advisory

OpenAM Pre-Authentication Reflected XSS via OAuth2/OIDC state parameter (CVE-2026-44203)

A critical pre-authentication reflected Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-44203, in OpenIdentityPlatform OpenAM's `openam-oauth2` component allows an unauthenticated attacker to inject malicious scripts into a victim's browser context by manipulating the `state` parameter in OAuth2/OIDC `form_post` responses, leading to session hijacking or credential theft.

openam-oauth2 xss web-vulnerability openam oidc oauth2
1r 2t
critical advisory

OpenAM Pre-Auth RCE via WebAuthn Java Deserialization (CVE-2026-45051)

A critical deserialization of untrusted data vulnerability, identified as CVE-2026-45051, in OpenAM's WebAuthn authentication module (openam-auth-webauthn) allows for pre-authentication arbitrary code execution (RCE) on the application server if an attacker can first write controlled data to a user's storage attribute, impacting OpenAM Community Edition through version 16.0.6.

OpenAM Community Edition <= 16.0.6 +1 deserialization RCE OpenAM WebAuthn CVE application-exploitation
2t
critical advisory

OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints (CVE-2026-45052)

An improper authorization vulnerability (CVE-2026-45052) in OpenAM Community Edition through version 16.0.6 allows an unauthenticated attacker to write persistent entries into the Liberty Discovery store on any user's LDAP entry and a shared root-realm Discovery branch, due to a flaw in the Liberty Web Services SOAP receiver that permits anonymous writes with elevated internal privileges, potentially influencing service routing or security mechanisms if Liberty discovery data is consumed.

OpenAM Community Edition +1 vulnerability identity-management web-application openam
2t