Skip to main content

OpenAM CVE-2026-44203

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-06-22 https://github.com/OpenIdentityPlatform/OpenAM GHSA-fq9h-c788-fx73
9.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
9.3 CRITICAL

Pre-auth reflected XSS reachable over the network (AV:N/AC:L/PR:N), needs victim click (UI:R), and script in OpenAM origin compromises federated sessions for other apps (S:C, C:H/I:H, A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 20:31 vuln.today
Analysis Generated
Jun 22, 2026 - 20:31 vuln.today

DescriptionGitHub Advisory

Summary

The OAuth 2.0 / OpenID Connect authorization endpoint does not sufficiently sanitize certain user-supplied parameters before incorporating them into the HTML response generated for the form_post response mode. This may allow an attacker to inject content into the rendered page in the context of the OpenAM origin.

AnalysisAI

Reflected cross-site scripting in OpenIdentityPlatform OpenAM versions 13.0.0 through 16.1.0 allows remote attackers to inject arbitrary HTML/JavaScript into the OAuth 2.0/OpenID Connect authorization endpoint response when the form_post response mode is used. The flaw resides in the FormPostResponse.ftl template, which insufficiently sanitizes user-supplied parameters such as state before reflecting them into the rendered HTML. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify OpenAM authorization endpoint
Delivery
Craft form_post URL with XSS in state
Exploit
Phish victim with active SSO session
Install
Browser renders FormPostResponse.ftl with injected script
C2
Script executes in OpenAM origin
Execute
Exfiltrate session cookies or forge federation requests
Impact
Pivot into relying-party applications

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target OpenAM instance expose the OAuth 2.0 / OpenID Connect authorization endpoint with response_mode=form_post enabled (a standard, commonly used OIDC flow) and that a victim be induced to load a crafted authorization URL (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N yields 9.3 because the bug is reachable pre-authentication over the network, requires only that a victim click a crafted authorization URL, and crosses a security scope boundary - script in the OpenAM origin can hijack federated sessions for downstream applications. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts an OAuth2 authorization URL pointing at a vulnerable OpenAM instance with response_mode=form_post and a malicious payload in the state (or similar) parameter that escapes the HTML attribute context inside FormPostResponse.ftl. The victim - an authenticated OpenAM user, often an administrator or workforce SSO user - is phished into clicking the link, after which JavaScript executes in the OpenAM origin and exfiltrates session cookies or silently issues federation requests to relying parties. …
Remediation Vendor-released patch: OpenAM 16.1.1 - upgrade the openam-oauth2 artifact and redeploy OpenAM following https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1 and the advisory at https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-fq9h-c788-fx73. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all deployed OpenAM instances and determine whether versions 13.0.0-16.1.0 are in use; disable form_post response mode if operationally feasible as a temporary control. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44203 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy