{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/open-identity-platform/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenDJ Community Edition \u003c= 5.1.0","opendj-server-legacy \u003c= 5.1.0"],"_cs_severities":["critical"],"_cs_tags":["java","deserialization","rce","opendj","jmx-rmi","pre-auth","network"],"_cs_type":"advisory","_cs_vendors":["Open Identity Platform"],"content_html":"\u003cp\u003eA critical pre-authentication remote code execution (RCE) vulnerability, identified as CVE-2026-46495, impacts OpenDJ Community Edition versions up to 5.1.0. This flaw stems from a deserialization of untrusted data (CWE-502) within OpenDJ's JMX RMI connector, which allows an unauthenticated remote attacker to deserialize arbitrary Java objects on the server. The vulnerability exists because the platform processes attacker-controlled bytes prior to any authentication. While the JMX Connection Handler is disabled by default, it is frequently enabled in production environments for monitoring purposes, significantly expanding the attack surface. Exploitation requires direct TCP reachability to the configured JMX listener and does not necessitate prior authentication, specific privileges, or client certificates. Successful exploitation can lead to complete system compromise, with the specific impact depending on the server's runtime classpath and Java version. This issue was patched in OpenDJ Community Edition version 5.1.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker identifies an internet-accessible OpenDJ server with the JMX Connection Handler enabled, listening for JMX RMI connections.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious serialized Java object payload designed to execute arbitrary commands upon deserialization.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a connection to the OpenDJ JMX RMI listener.\u003c/li\u003e\n\u003cli\u003eThe attacker transmits the crafted malicious serialized Java object payload over the JMX RMI connection.\u003c/li\u003e\n\u003cli\u003eThe OpenDJ server, due to the deserialization of untrusted data vulnerability (CVE-2026-46495), processes and deserializes the attacker-controlled bytes before any authentication takes place.\u003c/li\u003e\n\u003cli\u003eDuring deserialization, the malicious Java object triggers arbitrary code execution on the underlying operating system within the context of the OpenDJ server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthenticated Remote Code Execution (RCE) on the server, potentially leading to full system compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis critical vulnerability impacts all OpenDJ Community Edition releases up to 5.1.0 where the JMX Connection Handler is enabled, a common practice for monitoring integrations. Successful exploitation requires TCP reachability to the JMX listener and grants unauthenticated Remote Code Execution (RCE), allowing attackers to run arbitrary code on the server. The severity of the RCE and potential for system compromise depends on the server's runtime classpath and Java version. For example, unauthenticated RCE was specifically demonstrated on OpenDJ 4.4.15 running JDK 11 with Jackson 2.12.6.1, indicating a high potential for severe consequences including data breach, system disruption, or further network lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching all affected OpenDJ Community Edition instances to version 5.1.1 or higher immediately to remediate CVE-2026-46495.\u003c/li\u003e\n\u003cli\u003eReview network firewall rules to ensure that the OpenDJ JMX RMI connector port (default 1099, though configurable) is not exposed to untrusted networks or the internet unless absolutely necessary.\u003c/li\u003e\n\u003cli\u003eDisable the JMX Connection Handler if it is not explicitly required for monitoring integrations, as it is disabled by default in OpenDJ.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:03:19Z","date_published":"2026-07-03T11:03:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-opendj-pre-auth-rce/","summary":"A critical pre-authentication remote code execution (RCE) vulnerability, CVE-2026-46495, exists in OpenDJ Community Edition affecting versions up to 5.1.0, where a deserialization of untrusted data issue in the JMX RMI connector allows unauthenticated attackers with TCP reachability to the JMX listener to execute arbitrary Java objects, potentially leading to full system compromise.","title":"OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI (CVE-2026-46495)","url":"https://feed.craftedsignal.io/briefs/2026-07-opendj-pre-auth-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenAM Community Edition \u003c= 16.0.6","openam-auth-webauthn \u003c= 16.0.6"],"_cs_severities":["critical"],"_cs_tags":["deserialization","RCE","OpenAM","WebAuthn","CVE","application-exploitation"],"_cs_type":"advisory","_cs_vendors":["Open Identity Platform"],"content_html":"\u003cp\u003eA critical security vulnerability, CVE-2026-45051, has been disclosed in OpenAM Community Edition affecting versions up to 16.0.6. The flaw resides in the WebAuthn authentication module, specifically within the \u003ccode\u003eopenam-auth-webauthn\u003c/code\u003e component, and is categorized as a deserialization of untrusted data (CWE-502). This vulnerability can lead to pre-authentication arbitrary code execution (RCE) in the context of the application server. Exploitation requires a specific pre-condition: an attacker must first be able to write attacker-controlled serialized Java objects to a user's storage attribute that is subsequently read by the WebAuthn module. While this is not the default configuration, it is feasible in deployments where the storage attribute is made user-writable through misconfiguration or other vulnerabilities. The vulnerability has been addressed in OpenAM Community Edition version 16.1.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise/Pre-condition fulfillment\u003c/strong\u003e: An attacker gains the ability to write arbitrary data to an OpenAM user's storage attribute. This could occur through various means such as abusing delegated administration privileges, gaining write access to the backing LDAP/directory user record, exploiting a separate vulnerability like legacy REST self-registration, or due to an unsafe reconfiguration of the \u003ccode\u003euserAttribute\u003c/code\u003e to an attacker-writable string attribute.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Injection\u003c/strong\u003e: The attacker crafts a malicious serialized Java object (gadget payload) specifically designed for arbitrary code execution on the application server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Modification\u003c/strong\u003e: The attacker leverages their acquired write access to modify a target user's storage attribute within OpenAM, embedding the crafted serialized Java object as the attribute's value.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Flow Initiation\u003c/strong\u003e: The attacker initiates a WebAuthn authentication flow, either by attempting to authenticate as the modified user or by triggering any process within OpenAM that involves the retrieval and processing of the modified user's WebAuthn-related data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Deserialization\u003c/strong\u003e: OpenAM's WebAuthn module, while processing the authentication flow, attempts to deserialize the content of the compromised storage attribute, which now contains the attacker's malicious serialized Java object.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution\u003c/strong\u003e: During the deserialization process, the malicious Java gadget payload embedded within the storage attribute is executed by the underlying Java Virtual Machine on the OpenAM application server, resulting in arbitrary code execution with the privileges of the application server user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successfully exploited, CVE-2026-45051 grants an attacker arbitrary code execution on the OpenAM application server. This means an attacker could completely compromise the identity management system, gaining control over user accounts, accessing sensitive information, manipulating authentication processes, or establishing persistent access within the targeted organization's network. While the vulnerability requires a pre-condition where a storage attribute becomes user-writable (which is not the default), the product allows administrators to configure this attribute freely without warnings or enforcement, making such misconfigurations feasible in real-world deployments. The impact extends to all data and systems relying on the compromised OpenAM instance for authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update OpenAM Community Edition to version 16.1.1 or later to patch CVE-2026-45051.\u003c/li\u003e\n\u003cli\u003eReview OpenAM configurations to ensure that the WebAuthn user storage attribute is not set to an attacker-writable string attribute and is managed only by server-side processes.\u003c/li\u003e\n\u003cli\u003eScrutinize all administrative access and delegated administration privileges to prevent unauthorized modification of user attributes.\u003c/li\u003e\n\u003cli\u003eImplement rigorous logging and monitoring for attempts to modify user attributes, especially those related to WebAuthn, within OpenAM and its backing directories (e.g., LDAP).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:48:07Z","date_published":"2026-07-03T10:48:07Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openam-rce/","summary":"A critical deserialization of untrusted data vulnerability, identified as CVE-2026-45051, in OpenAM's WebAuthn authentication module (openam-auth-webauthn) allows for pre-authentication arbitrary code execution (RCE) on the application server if an attacker can first write controlled data to a user's storage attribute, impacting OpenAM Community Edition through version 16.0.6.","title":"OpenAM Pre-Auth RCE via WebAuthn Java Deserialization (CVE-2026-45051)","url":"https://feed.craftedsignal.io/briefs/2026-07-openam-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenAM Community Edition (\u003c= 16.0.6)","openam-federation-library (\u003c= 16.0.6)"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","identity-management","web-application","openam"],"_cs_type":"advisory","_cs_vendors":["Open Identity Platform"],"content_html":"\u003cp\u003eA critical improper authorization vulnerability (CVE-2026-45052) has been identified in OpenAM Community Edition, affecting versions through 16.0.6. This flaw resides within the Liberty Web Services SOAP receiver, specifically in its IDPP/Discovery Endpoints. An unauthenticated remote attacker can exploit this vulnerability to perform anonymous writes of persistent entries into the Liberty Discovery store. These malicious writes can target any user's LDAP entry or a shared root-realm Discovery branch. The exploit bypasses standard LDAP and identity Access Control Lists (ACLs) because the server-side Discovery handlers process these requests with elevated internal privileges, explicitly utilizing an internal admin token. This vulnerability, stemming from a legacy protocol (Liberty ID-WSF), allows attackers to manipulate core identity data, with potential downstream impacts on service routing or security mechanism selection in deployments that consume this Discovery data. The issue was patched in OpenAM Community Edition version 16.1.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Identification\u003c/strong\u003e: An unauthenticated remote attacker identifies an internet-facing OpenAM Community Edition instance running a vulnerable version (\u0026lt;= 16.0.6) that exposes the Liberty Web Services SOAP endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEndpoint Discovery\u003c/strong\u003e: The attacker discovers the vulnerable Liberty IDPP/Discovery SOAP endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Request Crafting\u003c/strong\u003e: The attacker crafts a specially designed SOAP request containing data intended to be written persistently into OpenAM's identity store.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Request Submission\u003c/strong\u003e: The attacker submits the crafted SOAP request to the vulnerable Liberty IDPP/Discovery endpoint without requiring any authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Internal)\u003c/strong\u003e: The vulnerable OpenAM server receives the unauthenticated request, and its Liberty Discovery handlers process it using an internal admin token, effectively operating with elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Tampering and Persistence\u003c/strong\u003e: The server-side process bypasses normal LDAP and identity ACLs, successfully writing the attacker's specified persistent entries into the Liberty Discovery store, targeting either a user's LDAP entry or a shared root-realm Discovery branch.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact on Service Routing/Security\u003c/strong\u003e: If downstream systems actively consume Liberty discovery data, these manipulated records could subsequently influence service routing decisions or compromise security mechanism selections, potentially leading to unauthorized access, bypass of authentication, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eOpenAM Community Edition deployments up to version 16.0.6 that have the Liberty Web Services component exposed are severely impacted. An unauthenticated attacker can leverage this vulnerability to inject persistent, unauthorized data into critical identity stores. This includes the ability to modify user LDAP entries and global Discovery branches. Because these writes occur with elevated internal privileges and bypass normal access controls, they represent a significant compromise of the identity management system. In environments where Liberty discovery data is actively utilized, such manipulated records could directly influence how services are routed or how security mechanisms operate, potentially leading to widespread unauthorized access, service disruption, or other severe security compromises across the affected enterprise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch OpenAM Community Edition instances to version 16.1.1 or later to remediate CVE-2026-45052.\u003c/li\u003e\n\u003cli\u003eReview and ensure that the Liberty Web Services component is not exposed unnecessarily, especially if not actively used.\u003c/li\u003e\n\u003cli\u003eConsider implementing network segmentation or access control lists to restrict access to OpenAM's administrative and critical endpoints to trusted sources only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:47:14Z","date_published":"2026-07-03T10:47:14Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openam-preauth-soap-tampering/","summary":"An improper authorization vulnerability (CVE-2026-45052) in OpenAM Community Edition through version 16.0.6 allows an unauthenticated attacker to write persistent entries into the Liberty Discovery store on any user's LDAP entry and a shared root-realm Discovery branch, due to a flaw in the Liberty Web Services SOAP receiver that permits anonymous writes with elevated internal privileges, potentially influencing service routing or security mechanisms if Liberty discovery data is consumed.","title":"OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints (CVE-2026-45052)","url":"https://feed.craftedsignal.io/briefs/2026-07-openam-preauth-soap-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed - Open Identity Platform","version":"https://jsonfeed.org/version/1.1"}