Skip to main content

OpenAM CVE-2026-45052

CRITICAL
Improper Authorization (CWE-285)
2026-06-24 https://github.com/OpenIdentityPlatform/OpenAM GHSA-p462-xxwx-pqf4
Share

Severity by source

vuln.today AI
7.5 HIGH

Unauthenticated network SOAP write reachable in defaults gives AV:N/AC:L/PR:N/UI:N; impact is a persistent integrity write (I:H) with no read or availability loss (C:N/A:N), scope unchanged as it stays within the LDAP identity store.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 24, 2026 - 17:50 vuln.today
Analysis Generated
Jun 24, 2026 - 17:50 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 maven packages depend on org.openidentityplatform.openam:openam-federation-library (5 direct, 3 indirect)

Ecosystem-wide dependent count for version 16.1.1.

DescriptionCVE.org

Summary

Description

An Improper Authorization (CWE-285) issue in OpenAM's Liberty Web Services SOAP receiver allows an unauthenticated remote attacker to write persistent entries into the Liberty Discovery store on any user's LDAP entry, and into a shared root-realm Discovery branch. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.

Liberty ID-WSF is a legacy protocol superseded by SAML 2.0, OAuth, and OIDC, and deployments that intentionally leverage it assume the risks of an unmaintained federation stack. While Liberty is exposed in the shipped defaults, this bug does not require active Liberty consumers for the write itself. Downstream impact depends on whether anything consumes Discovery data. The endpoint accepts anonymous writes that are performed server-side by the Discovery handlers, bypassing the requester's LDAP and identity ACLs. The global Discovery path explicitly uses the internal admin token.

Impact

OpenAM Community Edition deployments through version 16.0.6 that expose the Liberty Web Services component are potentially affected. An unauthenticated attacker who can reach the relevant endpoint may write persistent records to the discovery store, bypassing normal identity-layer access controls.

These writes are performed with elevated internal privileges server-side. In deployments that actively consume Liberty discovery data, manipulated records could influence service routing or security mechanism selection in subsequent requests. The severity of downstream impact varies by deployment..

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

AnalysisAI

Improper authorization in OpenAM Community Edition's Liberty ID-WSF SOAP receiver lets an unauthenticated remote attacker write persistent entries into the Liberty Discovery store on any user's LDAP entry and into a shared root-realm Discovery branch, with the writes executed server-side under elevated internal privileges (the global path explicitly uses the internal admin token). All Open Identity Platform OpenAM Community Edition releases through 16.0.6 that expose the Liberty Web Services component are affected; the issue is fixed in 16.1.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach exposed Liberty SOAP endpoint
Delivery
Send anonymous Discovery write request
Exploit
Server persists entry via internal admin token
Install
Bypass identity/LDAP ACLs
C2
Inject record into victim or root-realm store
Execute
Consumer reads tampered Discovery data
Impact
Influence service routing or security selection

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target OpenAM Community Edition instance (≤16.0.6) expose the Liberty Web Services SOAP receiver / Discovery endpoint to the attacker - this component is present and reachable in shipped defaults, so no special configuration is needed to perform the write itself; the attacker needs network reachability to that SOAP endpoint and nothing else (no credentials, no user interaction). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was supplied by the vendor (CVSS Score: N/A), so severity must be reasoned from the description: the attack is network-reachable, unauthenticated, requires no user interaction, and yields a persistent integrity write bypassing identity ACLs - characteristics that independently map to a high base score (assessed CVSS:3.1 7.5, vector below). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an OpenAM server's Liberty Web Services SOAP endpoint sends an anonymous SOAP request to the Discovery write handler, causing the server to persist an attacker-chosen Discovery entry into a victim's LDAP entry or the shared root realm using OpenAM's internal admin token - without any credentials. In a deployment that later consumes that Discovery data, the planted entry could steer service routing or security-mechanism selection toward an attacker-controlled or weaker endpoint. …
Remediation Primary fix: upgrade to OpenAM Community Edition 16.1.1, which the vendor confirms patches this issue (Vendor-released patch: 16.1.1); review release notes at the Open Identity Platform OpenAM repository and the advisory GHSA-p462-xxwx-pqf4. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all OpenAM Community Edition instances running versions through 16.0.6; document Liberty Web Services configuration and disable the Liberty ID-WSF SOAP receiver if not operationally critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45052 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy