Vendor
OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI (CVE-2026-46495)
2 TTPsA critical pre-authentication remote code execution (RCE) vulnerability, CVE-2026-46495, exists in OpenDJ Community Edition affecting versions up to 5.1.0, where a deserialization of untrusted data issue in the JMX RMI connector allows unauthenticated attackers with TCP reachability to the JMX listener to execute arbitrary Java objects, potentially leading to full system compromise.
OpenAM Pre-Auth RCE via WebAuthn Java Deserialization (CVE-2026-45051)
2 TTPsA critical deserialization of untrusted data vulnerability, identified as CVE-2026-45051, in OpenAM's WebAuthn authentication module (openam-auth-webauthn) allows for pre-authentication arbitrary code execution (RCE) on the application server if an attacker can first write controlled data to a user's storage attribute, impacting OpenAM Community Edition through version 16.0.6.
OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints (CVE-2026-45052)
2 TTPsAn improper authorization vulnerability (CVE-2026-45052) in OpenAM Community Edition through version 16.0.6 allows an unauthenticated attacker to write persistent entries into the Liberty Discovery store on any user's LDAP entry and a shared root-realm Discovery branch, due to a flaw in the Liberty Web Services SOAP receiver that permits anonymous writes with elevated internal privileges, potentially influencing service routing or security mechanisms if Liberty discovery data is consumed.