Skip to content
Threat Feed

Vendor

Open Identity Platform

3 briefs RSS
critical advisory

OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI (CVE-2026-46495)

A critical pre-authentication remote code execution (RCE) vulnerability, CVE-2026-46495, exists in OpenDJ Community Edition affecting versions up to 5.1.0, where a deserialization of untrusted data issue in the JMX RMI connector allows unauthenticated attackers with TCP reachability to the JMX listener to execute arbitrary Java objects, potentially leading to full system compromise.

OpenDJ Community Edition <= 5.1.0 +1 java deserialization rce opendj jmx-rmi pre-auth network
2t
critical advisory

OpenAM Pre-Auth RCE via WebAuthn Java Deserialization (CVE-2026-45051)

A critical deserialization of untrusted data vulnerability, identified as CVE-2026-45051, in OpenAM's WebAuthn authentication module (openam-auth-webauthn) allows for pre-authentication arbitrary code execution (RCE) on the application server if an attacker can first write controlled data to a user's storage attribute, impacting OpenAM Community Edition through version 16.0.6.

OpenAM Community Edition <= 16.0.6 +1 deserialization RCE OpenAM WebAuthn CVE application-exploitation
2t
critical advisory

OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints (CVE-2026-45052)

An improper authorization vulnerability (CVE-2026-45052) in OpenAM Community Edition through version 16.0.6 allows an unauthenticated attacker to write persistent entries into the Liberty Discovery store on any user's LDAP entry and a shared root-realm Discovery branch, due to a flaw in the Liberty Web Services SOAP receiver that permits anonymous writes with elevated internal privileges, potentially influencing service routing or security mechanisms if Liberty discovery data is consumed.

OpenAM Community Edition +1 vulnerability identity-management web-application openam
2t