Skip to main content

OpenDJ CVE-2026-46495

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-22 https://github.com/OpenIdentityPlatform/OpenDJ GHSA-43x2-g84q-fmqx
RCE Java Deserialization
Share

Severity by source

vuln.today AI
9.8 CRITICAL

Network-reachable JMX/RMI port, pre-authentication deserialization with no user interaction, and demonstrated RCE yielding full confidentiality, integrity, and availability impact on the host.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

3
CVE Published
Jun 22, 2026 - 22:00 cve.org
CRITICAL
Source Code Evidence Fetched
Jun 22, 2026 - 21:50 vuln.today
Analysis Generated
Jun 22, 2026 - 21:50 vuln.today

DescriptionCVE.org

Summary

Description

A Deserialization of Untrusted Data (CWE-502) issue in OpenDJ's JMX RMI connector allows an unauthenticated remote attacker to deserialize arbitrary Java objects on the server. The vulnerability exists because the platform reads and processes attacker-controlled bytes prior to authentication. This affects OpenDJ Community Edition through 5.1.0. This has been patched in version 5.1.1.

Impact

This impacts all current OpenDJ releases where the JMX Connection Handler is enabled. While disabled by default, it is frequently enabled in practice for monitoring integrations. Exploitation requires TCP reachability to the configured listener and does not require authentication, prior privileges, or client certificates. Successful exploitation results in unauthenticated Remote Code Execution (RCE), with the severity depending on the runtime classpath and Java version. Unauthenticated RCE was demonstrated on the OpenDJ 4.4.15 (JDK 11 + Jackson 2.12.6.1).

Patch

This has been patched in OpenDJ Community Edition version 5.1.1. Users are encouraged to update to the latest release.

Articles & Coverage 1

News Critical RCE in OpenDJ Community Edition via JMX Deserialization - CVE-2026-46495 Jun 22, 2026

AnalysisAI

Unauthenticated remote code execution in OpenDJ Community Edition through 5.1.0 occurs when the JMX RMI connector deserializes attacker-controlled Java objects before authentication is performed. Any deployment with the JMX Connection Handler enabled (commonly turned on for monitoring integrations) is exposed to pre-auth RCE over TCP, as demonstrated against OpenDJ 4.4.15 on JDK 11 with Jackson 2.12.6.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed OpenDJ JMX/RMI port
Delivery
Establish TCP connection to listener
Exploit
Send malicious serialized Java object
Execution
Pre-auth ObjectInputStream.readObject() triggers gadget chain
Persist
Execute commands as OpenDJ service user
Impact
Pivot into directory and identity data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must run OpenDJ Community Edition 5.1.0 or earlier with the JMX Connection Handler explicitly enabled (it is off in default configurations but commonly turned on for monitoring), and the attacker needs TCP reachability to the configured JMX RMI listener port. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was published with this advisory, but the described conditions - network attack vector, no authentication, no user interaction, full RCE - map to a CVSS 3.1 critical-range vector (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with TCP reachability to an OpenDJ instance that has the JMX Connection Handler enabled connects to the JMX/RMI listener and sends a crafted serialized Java object stream. Because OpenDJ deserializes the bytes before authentication, a gadget chain present on the server's classpath (such as Jackson 2.12.6.1 in the demonstrated case) is triggered during readObject() and executes attacker-chosen commands as the OpenDJ service account. …
Remediation Upgrade to OpenDJ Community Edition 5.1.1 or later, the vendor-released patched version per GHSA-43x2-g84q-fmqx (https://github.com/OpenIdentityPlatform/OpenDJ/security/advisories/GHSA-43x2-g84q-fmqx). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit network access to the JMX RMI listener (default port 9010) and identify all OpenDJ Community Edition instances running versions through 5.1.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-55773 HIGH
8.8 Jun 19

Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers
CVE-2026-55772 HIGH
8.8 Jun 19

Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate

CVE-2026-44795 HIGH
8.5 Jun 22

Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class

CVE-2026-50196 HIGH
7.5 Jun 17

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re

Share

CVE-2026-46495 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy