Skip to main content

OpenAM CVE-2026-41573

HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-22 https://github.com/OpenIdentityPlatform/OpenAM GHSA-2vg8-q4c2-5cw3
Share

Severity by source

vuln.today AI
7.1 HIGH

Network-reachable CREST endpoint (AV:N) requires any valid SSO token (PR:L) with no user interaction; primary impact is directory disclosure (C:H), with limited integrity via filter manipulation and no DoS.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 20:16 vuln.today
Analysis Generated
Jun 22, 2026 - 20:16 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 maven packages depend on org.openidentityplatform.openam:openam-core-rest (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 16.1.1.

DescriptionCVE.org

OpenAM (Open Identity Platform) is an open-source IAM platform providing SSO, OAuth2, SAML, and OpenID Connect capabilities. The CREST REST API layer exposes user query endpoints under /json/{realm}/users. In IdentityResourceV1.queryCollection(), the HTTP query parameter _queryId is passed to a CrestQuery object with escapeQueryId explicitly set to false, bypassing the escape protection introduced as part of the CVE-2021-29156 fix. The unescaped value flows directly to DJLDAPv3Repo.getFilter() where it is concatenated into an LDAP filter string without sanitization, enabling authenticated attackers to inject arbitrary LDAP metacharacters for user enumeration and blind LDAP injection.

Affected Endpoint

EndpointAuth RequiredInjection Parameter
GET /openam/json/{realm}/users?_queryId=<INJECTION>SSO Token_queryId
GET /openam/json/{realm}/groups?_queryId=<INJECTION>SSO Token (TBD)_queryId

Background: CVE-2021-29156

CVE-2021-29156 was a pre-authentication LDAP injection in OpenAM's Webfinger endpoint, where user-supplied input reached DJLDAPv3Repo.getFilter() unescaped. The fix introduced the escapeQueryId flag in CrestQuery (defaulting to true) and added Filter.escapeAssertionValue() in the filter-building path:

Credit

Discovered by JD-Security SHENYI Team

AnalysisAI

LDAP injection in OpenAM (Open Identity Platform) versions <= 16.0.6 allows authenticated attackers to inject arbitrary LDAP metacharacters via the _queryId parameter on the CREST REST API user/group endpoints, enabling user enumeration and blind LDAP injection. The flaw stems from IdentityResourceV1.queryCollection() explicitly setting escapeQueryId=false, regressing the escape protection added for CVE-2021-29156. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid SSO token
Delivery
Send GET to /json/{realm}/users with crafted _queryId
Exploit
Metacharacters injected into LDAP filter
Execution
Observe response/timing differences
Impact
Enumerate users and exfiltrate directory attributes

Vulnerability AssessmentAI

Exploitation Requires a valid SSO token for the target OpenAM instance (any authenticated session is sufficient - no administrative role is called out) and network reachability to the `/openam/json/{realm}/users` CREST endpoint; exploitation against `/openam/json/{realm}/groups` is listed as TBD. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score is provided by the vendor (NVD score N/A) and no EPSS or CISA KEV listing is available, so prioritization must be derived from the advisory text. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any valid SSO token - for example a low-privileged end user or a registered tenant account - issues `GET /openam/json/{realm}/users?_queryId=*` (and similar boolean payloads such as `*)(uid=admin*`) to enumerate accounts and infer attribute values via blind LDAP injection by observing differences in response content or timing. Repeated queries let them reconstruct usernames, group memberships, and other directory attributes character-by-character, even where those attributes are normally hidden behind ACIs at the application layer.
Remediation Vendor-released patch: upgrade OpenAM to 16.1.1 or later, per the release notes at https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1 and advisory GHSA-2vg8-q4c2-5cw3. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all OpenAM deployments to identify instances running version 16.0.6 or earlier; restrict REST API access to essential services only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-41573 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy