OpenAM CVE-2026-45052
CRITICALSeverity by source
Unauthenticated network SOAP write reachable in defaults gives AV:N/AC:L/PR:N/UI:N; impact is a persistent integrity write (I:H) with no read or availability loss (C:N/A:N), scope unchanged as it stays within the LDAP identity store.
Lifecycle Timeline
2Blast Radius
ecosystem impact- 8 maven packages depend on org.openidentityplatform.openam:openam-federation-library (5 direct, 3 indirect)
Ecosystem-wide dependent count for version 16.1.1.
DescriptionCVE.org
Summary
Description
An Improper Authorization (CWE-285) issue in OpenAM's Liberty Web Services SOAP receiver allows an unauthenticated remote attacker to write persistent entries into the Liberty Discovery store on any user's LDAP entry, and into a shared root-realm Discovery branch. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.
Liberty ID-WSF is a legacy protocol superseded by SAML 2.0, OAuth, and OIDC, and deployments that intentionally leverage it assume the risks of an unmaintained federation stack. While Liberty is exposed in the shipped defaults, this bug does not require active Liberty consumers for the write itself. Downstream impact depends on whether anything consumes Discovery data. The endpoint accepts anonymous writes that are performed server-side by the Discovery handlers, bypassing the requester's LDAP and identity ACLs. The global Discovery path explicitly uses the internal admin token.
Impact
OpenAM Community Edition deployments through version 16.0.6 that expose the Liberty Web Services component are potentially affected. An unauthenticated attacker who can reach the relevant endpoint may write persistent records to the discovery store, bypassing normal identity-layer access controls.
These writes are performed with elevated internal privileges server-side. In deployments that actively consume Liberty discovery data, manipulated records could influence service routing or security mechanism selection in subsequent requests. The severity of downstream impact varies by deployment..
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
AnalysisAI
Improper authorization in OpenAM Community Edition's Liberty ID-WSF SOAP receiver lets an unauthenticated remote attacker write persistent entries into the Liberty Discovery store on any user's LDAP entry and into a shared root-realm Discovery branch, with the writes executed server-side under elevated internal privileges (the global path explicitly uses the internal admin token). All Open Identity Platform OpenAM Community Edition releases through 16.0.6 that expose the Liberty Web Services component are affected; the issue is fixed in 16.1.1. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target OpenAM Community Edition instance (≤16.0.6) expose the Liberty Web Services SOAP receiver / Discovery endpoint to the attacker - this component is present and reachable in shipped defaults, so no special configuration is needed to perform the write itself; the attacker needs network reachability to that SOAP endpoint and nothing else (no credentials, no user interaction). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector was supplied by the vendor (CVSS Score: N/A), so severity must be reasoned from the description: the attack is network-reachable, unauthenticated, requires no user interaction, and yields a persistent integrity write bypassing identity ACLs - characteristics that independently map to a high base score (assessed CVSS:3.1 7.5, vector below). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an OpenAM server's Liberty Web Services SOAP endpoint sends an anonymous SOAP request to the Discovery write handler, causing the server to persist an attacker-chosen Discovery entry into a victim's LDAP entry or the shared root realm using OpenAM's internal admin token - without any credentials. In a deployment that later consumes that Discovery data, the planted entry could steer service routing or security-mechanism selection toward an attacker-controlled or weaker endpoint. … |
| Remediation | Primary fix: upgrade to OpenAM Community Edition 16.1.1, which the vendor confirms patches this issue (Vendor-released patch: 16.1.1); review release notes at the Open Identity Platform OpenAM repository and the advisory GHSA-p462-xxwx-pqf4. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all OpenAM Community Edition instances running versions through 16.0.6; document Liberty Web Services configuration and disable the Liberty ID-WSF SOAP receiver if not operationally critical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-p462-xxwx-pqf4