<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Openam - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/openam/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:05:31 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/openam/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenAM Pre-Authentication Reflected XSS via OAuth2/OIDC state parameter (CVE-2026-44203)</title><link>https://feed.craftedsignal.io/briefs/2026-07-openam-xss-cve-2026-44203/</link><pubDate>Fri, 03 Jul 2026 11:05:31 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openam-xss-cve-2026-44203/</guid><description>A critical pre-authentication reflected Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-44203, in OpenIdentityPlatform OpenAM's `openam-oauth2` component allows an unauthenticated attacker to inject malicious scripts into a victim's browser context by manipulating the `state` parameter in OAuth2/OIDC `form_post` responses, leading to session hijacking or credential theft.</description><content:encoded><![CDATA[<p>OpenIdentityPlatform OpenAM, a popular access management solution, is affected by a critical pre-authentication reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-44203. The vulnerability resides in the <code>openam-oauth2</code> component, specifically within the OAuth 2.0 / OpenID Connect authorization endpoint when utilizing the <code>form_post</code> response mode. Insufficient sanitization of user-supplied parameters, notably the <code>state</code> parameter, before their inclusion in the HTML response (generated by <code>FormPostResponse.ftl</code>) allows attackers to inject arbitrary client-side script. This flaw impacts OpenAM versions from 13.0.0 up to, but not including, 16.1.1. Defenders must prioritize patching to prevent attackers from exploiting this vulnerability to execute malicious code within the victim's browser in the context of the OpenAM origin, potentially leading to session compromise or credential theft.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable OpenAM instance exposed to the internet.</li>
<li>Attacker crafts a malicious URL targeting the OpenAM OAuth2/OIDC authorization endpoint, embedding an XSS payload (e.g., <code>&lt;script&gt;alert(document.domain)&lt;/script&gt;</code>) within the <code>state</code> parameter. The URL also specifies <code>response_mode=form_post</code>.</li>
<li>Attacker distributes this crafted URL to a potential victim, typically via a phishing email, malicious web link, or social engineering.</li>
<li>Victim clicks the malicious URL, sending a request to the vulnerable OpenAM server that includes the attacker-controlled <code>state</code> parameter.</li>
<li>OpenAM, processing the request for the <code>form_post</code> response mode, fails to adequately sanitize the <code>state</code> parameter due to CVE-2026-44203 and embeds the malicious script directly into the HTML response (<code>FormPostResponse.ftl</code>).</li>
<li>The victim's web browser receives the crafted HTML response and, treating it as legitimate content from the OpenAM domain, executes the embedded malicious JavaScript.</li>
<li>The executed XSS payload performs actions such as stealing the victim's session cookies, attempting to harvest credentials, or performing arbitrary actions on behalf of the user within the OpenAM application.</li>
<li>Attacker leverages the stolen information or actions to gain unauthorized access or control within the victim's OpenAM session.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of CVE-2026-44203 grants an attacker the ability to execute arbitrary client-side script within the victim's browser, operating under the security context of the OpenAM domain. This can lead to severe consequences including session hijacking, credential theft, defacement of the legitimate OpenAM interface, or redirection to malicious sites. The critical CVSS score of 9.3 underscores the potential for significant compromise due to the vulnerability being pre-authentication and having high impacts on confidentiality and integrity. Although specific victim counts are not available, all organizations running vulnerable OpenAM versions are at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-44203 immediately by upgrading <code>maven/org.openidentityplatform.openam:openam-oauth2</code> to version 16.1.1 or higher.</li>
<li>Deploy the <code>Detect CVE-2026-44203 Exploitation - OpenAM Reflected XSS</code> Sigma rule to your SIEM for early detection of exploitation attempts.</li>
<li>Configure web server or WAF logging to capture full HTTP request details, especially <code>cs-uri-query</code> parameters, for all traffic directed at OpenAM endpoints.</li>
<li>Monitor web server access logs for requests to <code>/oauth2/realms/*/authorize</code> containing <code>response_mode=form_post</code> and suspicious, script-like content in the <code>state</code> parameter as identified by the Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>xss</category><category>web-vulnerability</category><category>openam</category><category>oidc</category><category>oauth2</category></item><item><title>OpenAM Pre-Auth RCE via WebAuthn Java Deserialization (CVE-2026-45051)</title><link>https://feed.craftedsignal.io/briefs/2026-07-openam-rce/</link><pubDate>Fri, 03 Jul 2026 10:48:07 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openam-rce/</guid><description>A critical deserialization of untrusted data vulnerability, identified as CVE-2026-45051, in OpenAM's WebAuthn authentication module (openam-auth-webauthn) allows for pre-authentication arbitrary code execution (RCE) on the application server if an attacker can first write controlled data to a user's storage attribute, impacting OpenAM Community Edition through version 16.0.6.</description><content:encoded><![CDATA[<p>A critical security vulnerability, CVE-2026-45051, has been disclosed in OpenAM Community Edition affecting versions up to 16.0.6. The flaw resides in the WebAuthn authentication module, specifically within the <code>openam-auth-webauthn</code> component, and is categorized as a deserialization of untrusted data (CWE-502). This vulnerability can lead to pre-authentication arbitrary code execution (RCE) in the context of the application server. Exploitation requires a specific pre-condition: an attacker must first be able to write attacker-controlled serialized Java objects to a user's storage attribute that is subsequently read by the WebAuthn module. While this is not the default configuration, it is feasible in deployments where the storage attribute is made user-writable through misconfiguration or other vulnerabilities. The vulnerability has been addressed in OpenAM Community Edition version 16.1.1.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise/Pre-condition fulfillment</strong>: An attacker gains the ability to write arbitrary data to an OpenAM user's storage attribute. This could occur through various means such as abusing delegated administration privileges, gaining write access to the backing LDAP/directory user record, exploiting a separate vulnerability like legacy REST self-registration, or due to an unsafe reconfiguration of the <code>userAttribute</code> to an attacker-writable string attribute.</li>
<li><strong>Payload Injection</strong>: The attacker crafts a malicious serialized Java object (gadget payload) specifically designed for arbitrary code execution on the application server.</li>
<li><strong>Data Modification</strong>: The attacker leverages their acquired write access to modify a target user's storage attribute within OpenAM, embedding the crafted serialized Java object as the attribute's value.</li>
<li><strong>Authentication Flow Initiation</strong>: The attacker initiates a WebAuthn authentication flow, either by attempting to authenticate as the modified user or by triggering any process within OpenAM that involves the retrieval and processing of the modified user's WebAuthn-related data.</li>
<li><strong>Vulnerable Deserialization</strong>: OpenAM's WebAuthn module, while processing the authentication flow, attempts to deserialize the content of the compromised storage attribute, which now contains the attacker's malicious serialized Java object.</li>
<li><strong>Code Execution</strong>: During the deserialization process, the malicious Java gadget payload embedded within the storage attribute is executed by the underlying Java Virtual Machine on the OpenAM application server, resulting in arbitrary code execution with the privileges of the application server user.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>If successfully exploited, CVE-2026-45051 grants an attacker arbitrary code execution on the OpenAM application server. This means an attacker could completely compromise the identity management system, gaining control over user accounts, accessing sensitive information, manipulating authentication processes, or establishing persistent access within the targeted organization's network. While the vulnerability requires a pre-condition where a storage attribute becomes user-writable (which is not the default), the product allows administrators to configure this attribute freely without warnings or enforcement, making such misconfigurations feasible in real-world deployments. The impact extends to all data and systems relying on the compromised OpenAM instance for authentication and authorization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update OpenAM Community Edition to version 16.1.1 or later to patch CVE-2026-45051.</li>
<li>Review OpenAM configurations to ensure that the WebAuthn user storage attribute is not set to an attacker-writable string attribute and is managed only by server-side processes.</li>
<li>Scrutinize all administrative access and delegated administration privileges to prevent unauthorized modification of user attributes.</li>
<li>Implement rigorous logging and monitoring for attempts to modify user attributes, especially those related to WebAuthn, within OpenAM and its backing directories (e.g., LDAP).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>deserialization</category><category>RCE</category><category>OpenAM</category><category>WebAuthn</category><category>CVE</category><category>application-exploitation</category></item><item><title>OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints (CVE-2026-45052)</title><link>https://feed.craftedsignal.io/briefs/2026-07-openam-preauth-soap-tampering/</link><pubDate>Fri, 03 Jul 2026 10:47:14 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openam-preauth-soap-tampering/</guid><description>An improper authorization vulnerability (CVE-2026-45052) in OpenAM Community Edition through version 16.0.6 allows an unauthenticated attacker to write persistent entries into the Liberty Discovery store on any user's LDAP entry and a shared root-realm Discovery branch, due to a flaw in the Liberty Web Services SOAP receiver that permits anonymous writes with elevated internal privileges, potentially influencing service routing or security mechanisms if Liberty discovery data is consumed.</description><content:encoded><![CDATA[<p>A critical improper authorization vulnerability (CVE-2026-45052) has been identified in OpenAM Community Edition, affecting versions through 16.0.6. This flaw resides within the Liberty Web Services SOAP receiver, specifically in its IDPP/Discovery Endpoints. An unauthenticated remote attacker can exploit this vulnerability to perform anonymous writes of persistent entries into the Liberty Discovery store. These malicious writes can target any user's LDAP entry or a shared root-realm Discovery branch. The exploit bypasses standard LDAP and identity Access Control Lists (ACLs) because the server-side Discovery handlers process these requests with elevated internal privileges, explicitly utilizing an internal admin token. This vulnerability, stemming from a legacy protocol (Liberty ID-WSF), allows attackers to manipulate core identity data, with potential downstream impacts on service routing or security mechanism selection in deployments that consume this Discovery data. The issue was patched in OpenAM Community Edition version 16.1.1.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Target Identification</strong>: An unauthenticated remote attacker identifies an internet-facing OpenAM Community Edition instance running a vulnerable version (&lt;= 16.0.6) that exposes the Liberty Web Services SOAP endpoint.</li>
<li><strong>Endpoint Discovery</strong>: The attacker discovers the vulnerable Liberty IDPP/Discovery SOAP endpoint.</li>
<li><strong>Malicious Request Crafting</strong>: The attacker crafts a specially designed SOAP request containing data intended to be written persistently into OpenAM's identity store.</li>
<li><strong>Unauthorized Request Submission</strong>: The attacker submits the crafted SOAP request to the vulnerable Liberty IDPP/Discovery endpoint without requiring any authentication.</li>
<li><strong>Privilege Escalation (Internal)</strong>: The vulnerable OpenAM server receives the unauthenticated request, and its Liberty Discovery handlers process it using an internal admin token, effectively operating with elevated privileges.</li>
<li><strong>Data Tampering and Persistence</strong>: The server-side process bypasses normal LDAP and identity ACLs, successfully writing the attacker's specified persistent entries into the Liberty Discovery store, targeting either a user's LDAP entry or a shared root-realm Discovery branch.</li>
<li><strong>Impact on Service Routing/Security</strong>: If downstream systems actively consume Liberty discovery data, these manipulated records could subsequently influence service routing decisions or compromise security mechanism selections, potentially leading to unauthorized access, bypass of authentication, or denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>OpenAM Community Edition deployments up to version 16.0.6 that have the Liberty Web Services component exposed are severely impacted. An unauthenticated attacker can leverage this vulnerability to inject persistent, unauthorized data into critical identity stores. This includes the ability to modify user LDAP entries and global Discovery branches. Because these writes occur with elevated internal privileges and bypass normal access controls, they represent a significant compromise of the identity management system. In environments where Liberty discovery data is actively utilized, such manipulated records could directly influence how services are routed or how security mechanisms operate, potentially leading to widespread unauthorized access, service disruption, or other severe security compromises across the affected enterprise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch OpenAM Community Edition instances to version 16.1.1 or later to remediate CVE-2026-45052.</li>
<li>Review and ensure that the Liberty Web Services component is not exposed unnecessarily, especially if not actively used.</li>
<li>Consider implementing network segmentation or access control lists to restrict access to OpenAM's administrative and critical endpoints to trusted sources only.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>vulnerability</category><category>identity-management</category><category>web-application</category><category>openam</category></item></channel></rss>