OpenAM CVE-2026-45794
HIGHSeverity by source
Network-reachable but requires a low-privileged registration user (PR:L) and a dispatcher-expiry timing window (AC:H); strong integrity/availability impact via blob overwrite and DoS, limited confidentiality, RCE unconfirmed.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 maven packages depend on org.openidentityplatform.openam:openam-push-notification (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 16.1.1.
DescriptionCVE.org
Summary
Description
A Deserialization of Untrusted Data (CWE-502) issue exists in OpenAM's Push Notification SNS callback resource. The REST route that handles SNS push messages is mounted with anonymous access and, when a supplied message identifier has expired from the in-memory dispatcher, falls back to a CTS-stored predicate blob whose top-level keys are treated as Java class names and passed to Class.forName(...) before attacker-controlled JSON is deserialized via Jackson. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.
Arbitrary attacker-controlled code execution was not confirmed on tested stock classpaths for the latest release, but the flaw yields a reliable class-loading and Jackson-construction primitive whose impacts include remotely triggerable process execution, file writes, and DoS, depending on the deployment's classpath and environment.
Impact
OpenAM Community Edition deployments through version 16.0.6 that enable the Push Notification Service with SNS callbacks are potentially affected. While the callback route itself is anonymous, the planting step requires a low-privileged user who can start Push Registration and read their own QR-code payload. After that user obtains the server-issued messageId, shared secret, and challenge, they can wait for the in-memory dispatcher entry to expire and then send anonymous SNS callbacks that overwrite the persistent CTS blob with attacker-controlled JSON. A later anonymous callback for the same messageId causes OpenAM to load an attacker-named class and construct it with attacker-controlled values.
The planted blob is processed server-side with internal CTS privileges, giving a reliable class-loading and Jackson-construction primitive that can corrupt the push-token record and trigger classpath-dependent side effects in the OpenAM JVM. Arbitrary attacker-controlled command execution was not confirmed on the tested stock classpaths; practical severity depends on enabled Push Registration flows, JDK version, bundled or co-deployed classes, and whether any reachable class-loading or construction side effects are security-relevant in the deployment.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
AnalysisAI
Unsafe Java deserialization (CWE-502) in OpenAM Community Edition through 16.0.6 lets attackers abuse the anonymous Push Notification SNS callback REST route to force the server to load an attacker-named class and construct it from attacker-controlled JSON via Jackson. A low-privileged user who starts Push Registration can plant a malicious CTS predicate blob, then drive anonymous callbacks that yield a reliable class-loading and Jackson-construction primitive with classpath-dependent impacts ranging from token-record corruption and DoS to potential process execution and file writes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the OpenAM Push Notification Service to be enabled with SNS callbacks configured (the vulnerable REST route only exists in that mode). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS, EPSS, or KEV data was supplied, so quantitative signals are absent and exploitation status is 'no public exploit identified at time of analysis.' Tags (RCE, Java, Deserialization) and the advisory frame this as a deserialization-to-code-execution class issue, but the vendor explicitly states arbitrary command execution was NOT confirmed on tested stock classpaths - meaning the worst-case RCE outcome is conditional on co-deployed/bundled gadget classes, JDK version, and enabled Push flows rather than guaranteed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged OpenAM user starts Push Registration, captures the server-issued messageId, shared secret, and challenge from their own QR payload, and waits for the in-memory dispatcher entry to expire. They then send anonymous SNS callbacks that overwrite the persistent CTS predicate blob with crafted JSON keyed by a chosen Java class name; a subsequent anonymous callback for that messageId makes OpenAM call Class.forName on the attacker's class and construct it via Jackson with attacker-controlled values. … |
| Remediation | Upgrade to OpenAM Community Edition 16.1.1 or later (Vendor-released patch: 16.1.1), per advisory GHSA-pp89-732f-3g8q (https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-pp89-732f-3g8q). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OpenAM Community Edition instances and document their versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-pp89-732f-3g8q