Skip to main content

OpenAM CVE-2026-44202

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-22 https://github.com/OpenIdentityPlatform/OpenAM GHSA-c556-q2mh-477v
Share

Severity by source

vuln.today AI
5.0 MEDIUM

Network-accessible endpoint requires low-privilege authentication (PR:L); SSRF causes server to contact external systems (S:C), with limited confidentiality impact (C:L) and no integrity or availability impact described.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 20:30 vuln.today
Analysis Generated
Jun 22, 2026 - 20:30 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 55 maven packages depend on org.openidentityplatform.openam:openam-core (51 direct, 4 indirect)

Ecosystem-wide dependent count for version 16.1.1.

DescriptionCVE.org

OpenAM (Open Identity Platform) is an open-source Identity and Access Management (IAM) platform derived from ForgeRock OpenAM, providing SSO, OAuth2, SAML, and OpenID Connect capabilities. It is widely deployed in enterprise environments as a central authentication gateway.

The /sessionservice endpoint, used for internal session management operations, does not sufficiently restrict the URLs that authenticated users may register for session event notifications. Under certain conditions, this may result in outbound server-side requests to attacker-controlled destinations, potentially exposing session-related data.

This behavior results in a server-side request forgery (SSRF) vulnerability, where an authenticated attacker can trigger outbound requests to arbitrary destinations.

Credit

Discovered by JD-Security SHENYI Team

AnalysisAI

Server-Side Request Forgery in OpenAM's /sessionservice endpoint allows authenticated attackers to register arbitrary URLs for session event notifications, causing the IAM server to make outbound HTTP requests to attacker-controlled destinations. Affected versions are org.openidentityplatform.openam:openam-core up to and including 16.0.6; the flaw was patched in release 16.1.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to OpenAM with valid credentials
Delivery
Send crafted /sessionservice request registering attacker-controlled callback URL
Exploit
Trigger session event (logout, expiry, or refresh)
Execution
OpenAM server issues outbound HTTP request to attacker URL
Impact
Capture session data or probe internal network resources

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session on the OpenAM instance - the attacker must hold any valid user credential, not necessarily an administrative account. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was supplied by the reporter, so all metric assessments below are independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid OpenAM user account sends a crafted request to the /sessionservice endpoint, registering an attacker-controlled URL (e.g., an external server or an internal cloud metadata endpoint) as a session event notification callback. When a session event is subsequently triggered, the OpenAM server issues an outbound HTTP request to that URL, potentially including session-related data in headers or the request body, which the attacker captures. …
Remediation Upgrade org.openidentityplatform.openam:openam-core to version 16.1.1 or later, as confirmed by the GitHub release at https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1 and the security advisory at https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-c556-q2mh-477v. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44202 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy