OpenAM CVE-2026-45049
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Network-reachable servlet, no attacker auth, but requires victim click plus CDSSO enabled and missing hardening config (AC:H, UI:R); stolen session yields full C/I/A on downstream apps (scope change).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Description
An Information Exposure Through Sent Data (CWE-201) issue in OpenAM's Cross-Domain Single Sign-On (CDSSO) servlet allows a logged-in user's raw OpenAM session token to be POSTed to an attacker-controlled URL. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.
An attacker who can induce a logged-in victim to visit a crafted URL may receive the victim's session credential, which could enable session hijacking.
Impact
OpenAM deployments through version 16.0.6 that have CDSSO enabled are potentially affected. The CDSSO component is commonly enabled in multi-domain deployments. Exploitation requires user interaction - an authenticated user must be induced to visit an attacker-crafted URL - and is further gated on a non-default configuration being absent.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
AnalysisAI
Session token disclosure in OpenAM Community Edition through 16.0.6 allows a remote attacker to harvest an authenticated victim's raw OpenAM session credential by tricking them into visiting a crafted URL that abuses the Cross-Domain Single Sign-On (CDSSO) servlet to POST the token to an attacker-controlled endpoint. Successful exploitation enables full session hijacking against deployments where CDSSO is enabled and a specific non-default hardening configuration is absent. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target OpenAM Community Edition instance must be version 16.0.6 or earlier with the Cross-Domain Single Sign-On (CDSSO) feature enabled and the CDCServlet reachable to the victim's browser, and the non-default hardening configuration that constrains CDSSO redirect destinations must be absent (its presence blocks the attack). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H scores 8.3 (High), reflecting that an unauthenticated remote attacker can fully compromise an authenticated session (scope change to the downstream application) but only with user interaction and high attack complexity due to the required CDSSO configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a phishing link that points at the CDCServlet on a target organisation's OpenAM server with a Goto/redirect parameter referencing the attacker's own HTTPS endpoint, then sends it to an employee who is already logged in to the SSO portal. When the victim clicks, the servlet POSTs the victim's raw OpenAM session token to the attacker's URL, after which the attacker replays the token against internal applications and takes over the session. … |
| Remediation | Vendor-released patch: OpenAM Community Edition 16.1.1 - upgrade openam-federation and the wider OpenAM distribution to 16.1.1 or later as the primary fix, per advisory GHSA-r9pv-5rpp-vm8g (https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-r9pv-5rpp-vm8g). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all OpenAM Community Edition instances running versions through 16.0.6 and determine if CDSSO is enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-r9pv-5rpp-vm8g