OpenAM CVE-2026-45051
CRITICALSeverity by source
WebAuthn flow is network-reachable (AV:N) but exploitation needs a non-default config plus a prior write primitive into a controlled attribute, so AC:H and PR:L; deserialization yields full code execution (C/I/A:H).
Lifecycle Timeline
2DescriptionCVE.org
Summary
Description
A deserialization of untrusted data vulnerability (CWE-502) exists in OpenAM's WebAuthn authentication module. Under certain conditions, this may allow an attacker to achieve arbitrary code execution in the context of the application server. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.
This is not the default configuration. Exploitation requires that an attacker has previously been able to write attacker-controlled data to a storage attribute read by the WebAuthn module, and that the WebAuthn authentication flow is reachable.
Impact
WebAuthn is a modern shipped module, but the vulnerable configuration requires either the default storage attribute to become attacker-writable, or the WebAuthn userAttribute to be set to an attacker-writable string attribute. That is not the default, but it is feasible in deployments because the product exposes the storage attribute as a free-form admin setting and does not warn or enforce that it must be server-managed and non-user-writable. This may exist through delegated administration, provisioning, write access to the backing LDAP/directory user record, legacy REST self-registration, or unsafe reconfiguration of userAttribute.
In any deployment where the attribute becomes user writable, an attacker can execute arbitrary code as the application server user.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
AnalysisAI
Arbitrary code execution affects the WebAuthn authentication module of Open Identity Platform OpenAM Community Edition through 16.0.6, where untrusted Java deserialization (CWE-502) of a user-controllable storage attribute lets an attacker run code as the application server user. The vendor advisory (GHSA-6c99-87fr-6q7r) characterizes this as a pre-authentication RCE, but it is reachable only in non-default deployments where the WebAuthn storage/userAttribute has become attacker-writable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a non-default configuration: either the default WebAuthn storage attribute must have become attacker-writable, or the WebAuthn userAttribute must be set to an attacker-writable free-form string attribute, AND the WebAuthn authentication flow must be reachable to trigger the read/deserialize. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or score is provided in the source data, and the issue is not in CISA KEV, so prioritization must rest on the advisory text and CWE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | In a deployment where the WebAuthn userAttribute or storage attribute has been pointed at a user-writable directory attribute (for example exposed via self-registration or delegated admin), an attacker writes a crafted serialized Java gadget-chain payload into that attribute for an account. When the WebAuthn authentication flow is then triggered and reads and deserializes that attribute, the gadget chain executes and runs arbitrary code as the application server user. … |
| Remediation | Vendor-released patch: 16.1.1 - upgrade OpenAM Community Edition to 16.1.1 or later, per the advisory at https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-6c99-87fr-6q7r. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OpenAM Community Edition deployments running versions through 16.0.6 and assess WebAuthn module usage and storage attribute accessibility controls. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6c99-87fr-6q7r