Skip to main content

OpenAM CVE-2026-44793

LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-22 https://github.com/OpenIdentityPlatform/OpenAM GHSA-fhrq-3gmx-p879

Severity by source

vuln.today AI
4.7 MEDIUM

AC:H because non-default clustered configuration is required; PR:N per advisory; UI:R and S:C are standard for reflected XSS with no server-side code execution.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 21:21 vuln.today
Analysis Generated
Jun 22, 2026 - 21:21 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 maven packages depend on org.openidentityplatform.openam:openam-federation-library (5 direct, 3 indirect)

Ecosystem-wide dependent count for version 16.1.1.

DescriptionCVE.org

Summary

Certain federation endpoints do not consistently apply output encoding when rendering user-supplied parameters into HTML responses. Under a non-default configuration used in some clustered deployments, this inconsistency can result in reflected XSS in the OpenAM origin without authentication.

AnalysisAI

Reflected XSS in OpenAM's SAML2 federation library (openam-federation-library versions prior to 16.1.1) allows unauthenticated remote attackers to inject arbitrary JavaScript into the OpenAM origin via the Cookie-Hash-Redirect path, exploiting inconsistent output encoding in the FSUtils.postToTarget method. The attack surface is limited to deployments using a non-default clustered configuration; standard single-node deployments are not affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify clustered OpenAM deployment
Delivery
Craft malicious SAML2 federation URL with injected script payload
Exploit
Deliver crafted link to victim via phishing
Install
Victim clicks link and browser hits vulnerable federation endpoint
C2
OpenAM reflects unsanitized parameter in HTML response
Execute
Injected JavaScript executes in OpenAM origin
Impact
Exfiltrate session tokens or hijack SSO session

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target OpenAM deployment is operating in a clustered mode under a non-default configuration that activates the SAML2 Cookie-Hash-Redirect code path through FSUtils.postToTarget - deployments using the default single-node or non-clustered configuration are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was provided in the source data, so risk is assessed independently. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an enterprise OpenAM deployment running in clustered mode with the non-default configuration that enables the SAML2 Cookie-Hash-Redirect path. The attacker crafts a federation URL targeting the vulnerable endpoint, embedding a JavaScript payload in a user-supplied SAML2 parameter processed by FSUtils.postToTarget, and distributes it via phishing email to employees who use the OpenAM SSO portal. …
Remediation Upgrade the openam-federation-library Maven dependency to version 16.1.1 or later; this is the vendor-confirmed fix per GHSA-fhrq-3gmx-p879 and the release at https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44793 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy