OpenAM CVE-2026-44203
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Pre-auth reflected XSS reachable over the network (AV:N/AC:L/PR:N), needs victim click (UI:R), and script in OpenAM origin compromises federated sessions for other apps (S:C, C:H/I:H, A:N).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The OAuth 2.0 / OpenID Connect authorization endpoint does not sufficiently sanitize certain user-supplied parameters before incorporating them into the HTML response generated for the form_post response mode. This may allow an attacker to inject content into the rendered page in the context of the OpenAM origin.
AnalysisAI
Reflected cross-site scripting in OpenIdentityPlatform OpenAM versions 13.0.0 through 16.1.0 allows remote attackers to inject arbitrary HTML/JavaScript into the OAuth 2.0/OpenID Connect authorization endpoint response when the form_post response mode is used. The flaw resides in the FormPostResponse.ftl template, which insufficiently sanitizes user-supplied parameters such as state before reflecting them into the rendered HTML. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target OpenAM instance expose the OAuth 2.0 / OpenID Connect authorization endpoint with response_mode=form_post enabled (a standard, commonly used OIDC flow) and that a victim be induced to load a crafted authorization URL (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N yields 9.3 because the bug is reachable pre-authentication over the network, requires only that a victim click a crafted authorization URL, and crosses a security scope boundary - script in the OpenAM origin can hijack federated sessions for downstream applications. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts an OAuth2 authorization URL pointing at a vulnerable OpenAM instance with response_mode=form_post and a malicious payload in the state (or similar) parameter that escapes the HTML attribute context inside FormPostResponse.ftl. The victim - an authenticated OpenAM user, often an administrator or workforce SSO user - is phished into clicking the link, after which JavaScript executes in the OpenAM origin and exfiltrates session cookies or silently issues federation requests to relying parties. … |
| Remediation | Vendor-released patch: OpenAM 16.1.1 - upgrade the openam-oauth2 artifact and redeploy OpenAM following https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1 and the advisory at https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-fq9h-c788-fx73. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all deployed OpenAM instances and determine whether versions 13.0.0-16.1.0 are in use; disable form_post response mode if operationally feasible as a temporary control. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-fq9h-c788-fx73