OpenAM CVE-2026-44202
MEDIUMSeverity by source
Network-accessible endpoint requires low-privilege authentication (PR:L); SSRF causes server to contact external systems (S:C), with limited confidentiality impact (C:L) and no integrity or availability impact described.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2Blast Radius
ecosystem impact- 55 maven packages depend on org.openidentityplatform.openam:openam-core (51 direct, 4 indirect)
Ecosystem-wide dependent count for version 16.1.1.
DescriptionCVE.org
OpenAM (Open Identity Platform) is an open-source Identity and Access Management (IAM) platform derived from ForgeRock OpenAM, providing SSO, OAuth2, SAML, and OpenID Connect capabilities. It is widely deployed in enterprise environments as a central authentication gateway.
The /sessionservice endpoint, used for internal session management operations, does not sufficiently restrict the URLs that authenticated users may register for session event notifications. Under certain conditions, this may result in outbound server-side requests to attacker-controlled destinations, potentially exposing session-related data.
This behavior results in a server-side request forgery (SSRF) vulnerability, where an authenticated attacker can trigger outbound requests to arbitrary destinations.
Credit
Discovered by JD-Security SHENYI Team
AnalysisAI
Server-Side Request Forgery in OpenAM's /sessionservice endpoint allows authenticated attackers to register arbitrary URLs for session event notifications, causing the IAM server to make outbound HTTP requests to attacker-controlled destinations. Affected versions are org.openidentityplatform.openam:openam-core up to and including 16.0.6; the flaw was patched in release 16.1.1. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session on the OpenAM instance - the attacker must hold any valid user credential, not necessarily an administrative account. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector was supplied by the reporter, so all metric assessments below are independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid OpenAM user account sends a crafted request to the /sessionservice endpoint, registering an attacker-controlled URL (e.g., an external server or an internal cloud metadata endpoint) as a session event notification callback. When a session event is subsequently triggered, the OpenAM server issues an outbound HTTP request to that URL, potentially including session-related data in headers or the request body, which the attacker captures. … |
| Remediation | Upgrade org.openidentityplatform.openam:openam-core to version 16.1.1 or later, as confirmed by the GitHub release at https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1 and the security advisory at https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-c556-q2mh-477v. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-c556-q2mh-477v