Skip to main content

OpenAM CVE-2026-45048

HIGH
Information Exposure (CWE-200)
2026-06-23 https://github.com/OpenIdentityPlatform/OpenAM GHSA-vvhj-w2jq-263q
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.5 HIGH

Network-reachable RPC requires low-priv auth (PR:L) and knowledge of target identifier (AC:H); stealing an admin token crosses an authorization boundary (S:C) and fully compromises the victim account (C/I/A:H).

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 18:30 vuln.today
Analysis Generated
Jun 23, 2026 - 18:30 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 55 maven packages depend on org.openidentityplatform.openam:openam-core (51 direct, 4 indirect)

Ecosystem-wide dependent count for version 16.1.1.

DescriptionGitHub Advisory

Summary

Description

An insufficient authorization (CWE-285) and information exposure (CWE-200) issue in OpenAM's session management endpoint allows a low-privileged authenticated user to retrieve active session credentials belonging to other users, including those with higher privileges. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.

This may be related to CVE-2021-4201, a similar issue patched in ForgeRock Access Management, a separate product sharing a common codebase ancestry.

Impact

OpenAM Community Edition deployments through version 16.0.6 using stateful session storage and exposing the session management endpoint are potentially affected. The endpoint does not enforce ownership or privilege checks when querying session information, meaning an authenticated user may retrieve active session credentials for arbitrary users. Successful exploitation requires a valid low-privilege session and knowledge of a target user's identity identifier, which may be obtainable through normal platform functionality.

If credentials belonging to a highly privileged account are obtained, this could enable further administrative actions within the platform

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

AnalysisAI

Authenticated privilege escalation in OpenAM Community Edition through 16.0.6 allows a low-privileged user to retrieve raw session tokens belonging to arbitrary other users via the session management RPC endpoint, which fails to enforce ownership or privilege checks. Capturing an administrator's session token enables full account takeover of higher-privileged accounts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege OpenAM account
Delivery
Authenticate to acquire session
Exploit
Enumerate target admin user identifier
Install
Query session management endpoint for victim
C2
Receive raw session token in response
Execute
Replay token as administrator
Impact
Perform privileged actions on platform

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated low-privilege OpenAM session (PR:L), the OpenAM deployment must use stateful server-side session storage rather than client-side/JWT sessions, and the session management RPC endpoint must be network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (8.5 High) reflects a network-reachable flaw exploitable by any low-privileged authenticated user, with a scope change because compromising another user's session crosses an authorization boundary to a different security authority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains any low-privileged OpenAM account, authenticates normally to receive a valid session, then enumerates or guesses an administrator's user identifier (often discoverable through search, audit, or directory APIs). They issue a crafted request to the session management endpoint asking for that admin's active session, receive the raw session token in the response, and replay it as a bearer cookie to act as the administrator across the OpenAM console and any federated relying parties.
Remediation Upgrade to OpenAM Community Edition 16.1.1 or later, which contains the authorization fix per the GHSA-vvhj-w2jq-263q advisory; the Maven coordinates are org.openidentityplatform.openam:openam-core version 16.1.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running OpenAM Community Edition versions ≤16.0.6 and identify assets with administrative accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy