OpenAM CVE-2026-44793
LOWSeverity by source
AC:H because non-default clustered configuration is required; PR:N per advisory; UI:R and S:C are standard for reflected XSS with no server-side code execution.
Lifecycle Timeline
2Blast Radius
ecosystem impact- 8 maven packages depend on org.openidentityplatform.openam:openam-federation-library (5 direct, 3 indirect)
Ecosystem-wide dependent count for version 16.1.1.
DescriptionCVE.org
Summary
Certain federation endpoints do not consistently apply output encoding when rendering user-supplied parameters into HTML responses. Under a non-default configuration used in some clustered deployments, this inconsistency can result in reflected XSS in the OpenAM origin without authentication.
AnalysisAI
Reflected XSS in OpenAM's SAML2 federation library (openam-federation-library versions prior to 16.1.1) allows unauthenticated remote attackers to inject arbitrary JavaScript into the OpenAM origin via the Cookie-Hash-Redirect path, exploiting inconsistent output encoding in the FSUtils.postToTarget method. The attack surface is limited to deployments using a non-default clustered configuration; standard single-node deployments are not affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target OpenAM deployment is operating in a clustered mode under a non-default configuration that activates the SAML2 Cookie-Hash-Redirect code path through FSUtils.postToTarget - deployments using the default single-node or non-clustered configuration are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or vector was provided in the source data, so risk is assessed independently. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an enterprise OpenAM deployment running in clustered mode with the non-default configuration that enables the SAML2 Cookie-Hash-Redirect path. The attacker crafts a federation URL targeting the vulnerable endpoint, embedding a JavaScript payload in a user-supplied SAML2 parameter processed by FSUtils.postToTarget, and distributes it via phishing email to employees who use the OpenAM SSO portal. … |
| Remediation | Upgrade the openam-federation-library Maven dependency to version 16.1.1 or later; this is the vendor-confirmed fix per GHSA-fhrq-3gmx-p879 and the release at https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-fhrq-3gmx-p879