{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/openam/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["openam-oauth2 (\u003e= 13.0.0, \u003c 16.1.1)"],"_cs_severities":["critical"],"_cs_tags":["xss","web-vulnerability","openam","oidc","oauth2"],"_cs_type":"advisory","_cs_vendors":["OpenIdentityPlatform"],"content_html":"\u003cp\u003eOpenIdentityPlatform OpenAM, a popular access management solution, is affected by a critical pre-authentication reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-44203. The vulnerability resides in the \u003ccode\u003eopenam-oauth2\u003c/code\u003e component, specifically within the OAuth 2.0 / OpenID Connect authorization endpoint when utilizing the \u003ccode\u003eform_post\u003c/code\u003e response mode. Insufficient sanitization of user-supplied parameters, notably the \u003ccode\u003estate\u003c/code\u003e parameter, before their inclusion in the HTML response (generated by \u003ccode\u003eFormPostResponse.ftl\u003c/code\u003e) allows attackers to inject arbitrary client-side script. This flaw impacts OpenAM versions from 13.0.0 up to, but not including, 16.1.1. Defenders must prioritize patching to prevent attackers from exploiting this vulnerability to execute malicious code within the victim's browser in the context of the OpenAM origin, potentially leading to session compromise or credential theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OpenAM instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious URL targeting the OpenAM OAuth2/OIDC authorization endpoint, embedding an XSS payload (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert(document.domain)\u0026lt;/script\u0026gt;\u003c/code\u003e) within the \u003ccode\u003estate\u003c/code\u003e parameter. The URL also specifies \u003ccode\u003eresponse_mode=form_post\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker distributes this crafted URL to a potential victim, typically via a phishing email, malicious web link, or social engineering.\u003c/li\u003e\n\u003cli\u003eVictim clicks the malicious URL, sending a request to the vulnerable OpenAM server that includes the attacker-controlled \u003ccode\u003estate\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eOpenAM, processing the request for the \u003ccode\u003eform_post\u003c/code\u003e response mode, fails to adequately sanitize the \u003ccode\u003estate\u003c/code\u003e parameter due to CVE-2026-44203 and embeds the malicious script directly into the HTML response (\u003ccode\u003eFormPostResponse.ftl\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe victim's web browser receives the crafted HTML response and, treating it as legitimate content from the OpenAM domain, executes the embedded malicious JavaScript.\u003c/li\u003e\n\u003cli\u003eThe executed XSS payload performs actions such as stealing the victim's session cookies, attempting to harvest credentials, or performing arbitrary actions on behalf of the user within the OpenAM application.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the stolen information or actions to gain unauthorized access or control within the victim's OpenAM session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-44203 grants an attacker the ability to execute arbitrary client-side script within the victim's browser, operating under the security context of the OpenAM domain. This can lead to severe consequences including session hijacking, credential theft, defacement of the legitimate OpenAM interface, or redirection to malicious sites. The critical CVSS score of 9.3 underscores the potential for significant compromise due to the vulnerability being pre-authentication and having high impacts on confidentiality and integrity. Although specific victim counts are not available, all organizations running vulnerable OpenAM versions are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-44203 immediately by upgrading \u003ccode\u003emaven/org.openidentityplatform.openam:openam-oauth2\u003c/code\u003e to version 16.1.1 or higher.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect CVE-2026-44203 Exploitation - OpenAM Reflected XSS\u003c/code\u003e Sigma rule to your SIEM for early detection of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConfigure web server or WAF logging to capture full HTTP request details, especially \u003ccode\u003ecs-uri-query\u003c/code\u003e parameters, for all traffic directed at OpenAM endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to \u003ccode\u003e/oauth2/realms/*/authorize\u003c/code\u003e containing \u003ccode\u003eresponse_mode=form_post\u003c/code\u003e and suspicious, script-like content in the \u003ccode\u003estate\u003c/code\u003e parameter as identified by the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:05:31Z","date_published":"2026-07-03T11:05:31Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openam-xss-cve-2026-44203/","summary":"A critical pre-authentication reflected Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-44203, in OpenIdentityPlatform OpenAM's `openam-oauth2` component allows an unauthenticated attacker to inject malicious scripts into a victim's browser context by manipulating the `state` parameter in OAuth2/OIDC `form_post` responses, leading to session hijacking or credential theft.","title":"OpenAM Pre-Authentication Reflected XSS via OAuth2/OIDC state parameter (CVE-2026-44203)","url":"https://feed.craftedsignal.io/briefs/2026-07-openam-xss-cve-2026-44203/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenAM Community Edition \u003c= 16.0.6","openam-auth-webauthn \u003c= 16.0.6"],"_cs_severities":["critical"],"_cs_tags":["deserialization","RCE","OpenAM","WebAuthn","CVE","application-exploitation"],"_cs_type":"advisory","_cs_vendors":["Open Identity Platform"],"content_html":"\u003cp\u003eA critical security vulnerability, CVE-2026-45051, has been disclosed in OpenAM Community Edition affecting versions up to 16.0.6. The flaw resides in the WebAuthn authentication module, specifically within the \u003ccode\u003eopenam-auth-webauthn\u003c/code\u003e component, and is categorized as a deserialization of untrusted data (CWE-502). This vulnerability can lead to pre-authentication arbitrary code execution (RCE) in the context of the application server. Exploitation requires a specific pre-condition: an attacker must first be able to write attacker-controlled serialized Java objects to a user's storage attribute that is subsequently read by the WebAuthn module. While this is not the default configuration, it is feasible in deployments where the storage attribute is made user-writable through misconfiguration or other vulnerabilities. The vulnerability has been addressed in OpenAM Community Edition version 16.1.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise/Pre-condition fulfillment\u003c/strong\u003e: An attacker gains the ability to write arbitrary data to an OpenAM user's storage attribute. This could occur through various means such as abusing delegated administration privileges, gaining write access to the backing LDAP/directory user record, exploiting a separate vulnerability like legacy REST self-registration, or due to an unsafe reconfiguration of the \u003ccode\u003euserAttribute\u003c/code\u003e to an attacker-writable string attribute.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Injection\u003c/strong\u003e: The attacker crafts a malicious serialized Java object (gadget payload) specifically designed for arbitrary code execution on the application server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Modification\u003c/strong\u003e: The attacker leverages their acquired write access to modify a target user's storage attribute within OpenAM, embedding the crafted serialized Java object as the attribute's value.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Flow Initiation\u003c/strong\u003e: The attacker initiates a WebAuthn authentication flow, either by attempting to authenticate as the modified user or by triggering any process within OpenAM that involves the retrieval and processing of the modified user's WebAuthn-related data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Deserialization\u003c/strong\u003e: OpenAM's WebAuthn module, while processing the authentication flow, attempts to deserialize the content of the compromised storage attribute, which now contains the attacker's malicious serialized Java object.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution\u003c/strong\u003e: During the deserialization process, the malicious Java gadget payload embedded within the storage attribute is executed by the underlying Java Virtual Machine on the OpenAM application server, resulting in arbitrary code execution with the privileges of the application server user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successfully exploited, CVE-2026-45051 grants an attacker arbitrary code execution on the OpenAM application server. This means an attacker could completely compromise the identity management system, gaining control over user accounts, accessing sensitive information, manipulating authentication processes, or establishing persistent access within the targeted organization's network. While the vulnerability requires a pre-condition where a storage attribute becomes user-writable (which is not the default), the product allows administrators to configure this attribute freely without warnings or enforcement, making such misconfigurations feasible in real-world deployments. The impact extends to all data and systems relying on the compromised OpenAM instance for authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update OpenAM Community Edition to version 16.1.1 or later to patch CVE-2026-45051.\u003c/li\u003e\n\u003cli\u003eReview OpenAM configurations to ensure that the WebAuthn user storage attribute is not set to an attacker-writable string attribute and is managed only by server-side processes.\u003c/li\u003e\n\u003cli\u003eScrutinize all administrative access and delegated administration privileges to prevent unauthorized modification of user attributes.\u003c/li\u003e\n\u003cli\u003eImplement rigorous logging and monitoring for attempts to modify user attributes, especially those related to WebAuthn, within OpenAM and its backing directories (e.g., LDAP).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:48:07Z","date_published":"2026-07-03T10:48:07Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openam-rce/","summary":"A critical deserialization of untrusted data vulnerability, identified as CVE-2026-45051, in OpenAM's WebAuthn authentication module (openam-auth-webauthn) allows for pre-authentication arbitrary code execution (RCE) on the application server if an attacker can first write controlled data to a user's storage attribute, impacting OpenAM Community Edition through version 16.0.6.","title":"OpenAM Pre-Auth RCE via WebAuthn Java Deserialization (CVE-2026-45051)","url":"https://feed.craftedsignal.io/briefs/2026-07-openam-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenAM Community Edition (\u003c= 16.0.6)","openam-federation-library (\u003c= 16.0.6)"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","identity-management","web-application","openam"],"_cs_type":"advisory","_cs_vendors":["Open Identity Platform"],"content_html":"\u003cp\u003eA critical improper authorization vulnerability (CVE-2026-45052) has been identified in OpenAM Community Edition, affecting versions through 16.0.6. This flaw resides within the Liberty Web Services SOAP receiver, specifically in its IDPP/Discovery Endpoints. An unauthenticated remote attacker can exploit this vulnerability to perform anonymous writes of persistent entries into the Liberty Discovery store. These malicious writes can target any user's LDAP entry or a shared root-realm Discovery branch. The exploit bypasses standard LDAP and identity Access Control Lists (ACLs) because the server-side Discovery handlers process these requests with elevated internal privileges, explicitly utilizing an internal admin token. This vulnerability, stemming from a legacy protocol (Liberty ID-WSF), allows attackers to manipulate core identity data, with potential downstream impacts on service routing or security mechanism selection in deployments that consume this Discovery data. The issue was patched in OpenAM Community Edition version 16.1.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Identification\u003c/strong\u003e: An unauthenticated remote attacker identifies an internet-facing OpenAM Community Edition instance running a vulnerable version (\u0026lt;= 16.0.6) that exposes the Liberty Web Services SOAP endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEndpoint Discovery\u003c/strong\u003e: The attacker discovers the vulnerable Liberty IDPP/Discovery SOAP endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Request Crafting\u003c/strong\u003e: The attacker crafts a specially designed SOAP request containing data intended to be written persistently into OpenAM's identity store.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Request Submission\u003c/strong\u003e: The attacker submits the crafted SOAP request to the vulnerable Liberty IDPP/Discovery endpoint without requiring any authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Internal)\u003c/strong\u003e: The vulnerable OpenAM server receives the unauthenticated request, and its Liberty Discovery handlers process it using an internal admin token, effectively operating with elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Tampering and Persistence\u003c/strong\u003e: The server-side process bypasses normal LDAP and identity ACLs, successfully writing the attacker's specified persistent entries into the Liberty Discovery store, targeting either a user's LDAP entry or a shared root-realm Discovery branch.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact on Service Routing/Security\u003c/strong\u003e: If downstream systems actively consume Liberty discovery data, these manipulated records could subsequently influence service routing decisions or compromise security mechanism selections, potentially leading to unauthorized access, bypass of authentication, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eOpenAM Community Edition deployments up to version 16.0.6 that have the Liberty Web Services component exposed are severely impacted. An unauthenticated attacker can leverage this vulnerability to inject persistent, unauthorized data into critical identity stores. This includes the ability to modify user LDAP entries and global Discovery branches. Because these writes occur with elevated internal privileges and bypass normal access controls, they represent a significant compromise of the identity management system. In environments where Liberty discovery data is actively utilized, such manipulated records could directly influence how services are routed or how security mechanisms operate, potentially leading to widespread unauthorized access, service disruption, or other severe security compromises across the affected enterprise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch OpenAM Community Edition instances to version 16.1.1 or later to remediate CVE-2026-45052.\u003c/li\u003e\n\u003cli\u003eReview and ensure that the Liberty Web Services component is not exposed unnecessarily, especially if not actively used.\u003c/li\u003e\n\u003cli\u003eConsider implementing network segmentation or access control lists to restrict access to OpenAM's administrative and critical endpoints to trusted sources only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:47:14Z","date_published":"2026-07-03T10:47:14Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openam-preauth-soap-tampering/","summary":"An improper authorization vulnerability (CVE-2026-45052) in OpenAM Community Edition through version 16.0.6 allows an unauthenticated attacker to write persistent entries into the Liberty Discovery store on any user's LDAP entry and a shared root-realm Discovery branch, due to a flaw in the Liberty Web Services SOAP receiver that permits anonymous writes with elevated internal privileges, potentially influencing service routing or security mechanisms if Liberty discovery data is consumed.","title":"OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints (CVE-2026-45052)","url":"https://feed.craftedsignal.io/briefs/2026-07-openam-preauth-soap-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed - Openam","version":"https://jsonfeed.org/version/1.1"}