Skip to main content
CVE-2026-46619 HIGH PATCH GHSA This Week

Pre-authentication login bypass in OpenAM Community Edition through 16.0.6 lets an unauthenticated remote attacker mint a valid OpenAM session for an arbitrary user without supplying a password. The MSISDN authentication module concatenates a request-supplied MSISDN value directly into an LDAP search filter (CWE-90), and because the default trusted-gateway list permits all traffic, any realm with an MSISDN module in its authentication chain is reachable and exploitable. No public exploit identified at time of analysis, and the issue is fixed in version 16.1.1.

Code Injection LDAP Authentication Bypass
NVD GitHub
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy