OpenAM CVE-2026-41573
HIGHSeverity by source
Network-reachable CREST endpoint (AV:N) requires any valid SSO token (PR:L) with no user interaction; primary impact is directory disclosure (C:H), with limited integrity via filter manipulation and no DoS.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2Blast Radius
ecosystem impact- 2 maven packages depend on org.openidentityplatform.openam:openam-core-rest (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 16.1.1.
DescriptionCVE.org
OpenAM (Open Identity Platform) is an open-source IAM platform providing SSO, OAuth2, SAML, and OpenID Connect capabilities. The CREST REST API layer exposes user query endpoints under /json/{realm}/users. In IdentityResourceV1.queryCollection(), the HTTP query parameter _queryId is passed to a CrestQuery object with escapeQueryId explicitly set to false, bypassing the escape protection introduced as part of the CVE-2021-29156 fix. The unescaped value flows directly to DJLDAPv3Repo.getFilter() where it is concatenated into an LDAP filter string without sanitization, enabling authenticated attackers to inject arbitrary LDAP metacharacters for user enumeration and blind LDAP injection.
Affected Endpoint
| Endpoint | Auth Required | Injection Parameter |
|---|---|---|
GET /openam/json/{realm}/users?_queryId=<INJECTION> | SSO Token | _queryId |
GET /openam/json/{realm}/groups?_queryId=<INJECTION> | SSO Token (TBD) | _queryId |
Background: CVE-2021-29156
CVE-2021-29156 was a pre-authentication LDAP injection in OpenAM's Webfinger endpoint, where user-supplied input reached DJLDAPv3Repo.getFilter() unescaped. The fix introduced the escapeQueryId flag in CrestQuery (defaulting to true) and added Filter.escapeAssertionValue() in the filter-building path:
Credit
Discovered by JD-Security SHENYI Team
AnalysisAI
LDAP injection in OpenAM (Open Identity Platform) versions <= 16.0.6 allows authenticated attackers to inject arbitrary LDAP metacharacters via the _queryId parameter on the CREST REST API user/group endpoints, enabling user enumeration and blind LDAP injection. The flaw stems from IdentityResourceV1.queryCollection() explicitly setting escapeQueryId=false, regressing the escape protection added for CVE-2021-29156. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid SSO token for the target OpenAM instance (any authenticated session is sufficient - no administrative role is called out) and network reachability to the `/openam/json/{realm}/users` CREST endpoint; exploitation against `/openam/json/{realm}/groups` is listed as TBD. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score is provided by the vendor (NVD score N/A) and no EPSS or CISA KEV listing is available, so prioritization must be derived from the advisory text. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained any valid SSO token - for example a low-privileged end user or a registered tenant account - issues `GET /openam/json/{realm}/users?_queryId=*` (and similar boolean payloads such as `*)(uid=admin*`) to enumerate accounts and infer attribute values via blind LDAP injection by observing differences in response content or timing. Repeated queries let them reconstruct usernames, group memberships, and other directory attributes character-by-character, even where those attributes are normally hidden behind ACIs at the application layer. |
| Remediation | Vendor-released patch: upgrade OpenAM to 16.1.1 or later, per the release notes at https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1 and advisory GHSA-2vg8-q4c2-5cw3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OpenAM deployments to identify instances running version 16.0.6 or earlier; restrict REST API access to essential services only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2vg8-q4c2-5cw3