Skip to main content

OpenAM CVE-2026-46498

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-25 https://github.com/OpenIdentityPlatform/OpenAM GHSA-cj8f-2fhf-826r
Share

Severity by source

vuln.today AI
8.2 HIGH

Network-reachable but gated by a non-default CTS write primitive and prior Push registration (AC:H, PR:L); token forgery impacts relying parties beyond OpenAM (S:C) with high confidentiality/integrity but no availability effect.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 17:31 vuln.today
Analysis Generated
Jun 25, 2026 - 17:31 vuln.today

DescriptionCVE.org

Summary

Description

An Authorization Bypass Through User-Controlled Key (CWE-639) exists in OpenAM's stateful OAuth2 token-read path. Under certain conditions, this may allow an attacker to forge OAuth2 bearer tokens and OIDC ID tokens with arbitrary subject, client, realm, and scope. This affects OpenAM Community Edition through version 16.0.6.

The OAuth2 token-read path reads caller-supplied token identifiers from the shared Core Token Store (CTS) without placing them in an OAuth-only namespace and without binding the row's trusted CTS type to the expected OAuth token family, so any CTS row whose BLOB claims to be an OAuth token is accepted on the read path with no integrity check.

Impact

OpenAM Community Edition deployments through version 16.0.6 with the OAuth2 Provider service enabled in a realm are potentially affected, but the vulnerable read path is only reachable once an attacker can place attacker-controlled JSON into the shared CTS under an identifier they know. For example, an anonymous Push Notification SNS callback handler, reachable by any low-privileged user in a Push Notification-enabled realm after a single legitimate Push registration can trigger the exploit.

In any deployment where such a primitive exists, an attacker can forge OAuth2 bearer tokens with attacker-chosen userName, clientID, realm, and scope. The compromise does not by itself create an OpenAM SSO session or grant admin-console access.

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

AnalysisAI

OAuth2/OIDC token forgery in OpenIdentity Platform's OpenAM Community Edition (through 16.0.6) lets an attacker mint OAuth2 bearer tokens and OIDC ID tokens with arbitrary subject (userName), clientID, realm, and scope by abusing the stateful token-read path's failure to namespace and type-check Core Token Store (CTS) rows. The flaw is an Authorization Bypass Through User-Controlled Key (CWE-639): any CTS row whose BLOB merely claims to be an OAuth token is trusted on read with no integrity check, so an attacker who can write attacker-controlled JSON to CTS under a known identifier can impersonate any user or client. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify realm with OAuth2 + Push enabled
Delivery
Perform one legitimate Push registration
Exploit
Abuse anonymous SNS callback to write CTS JSON
Execution
Call OAuth2 token-read with known identifier
Persist
Receive forged bearer/OIDC token
Impact
Impersonate arbitrary user at relying app

Vulnerability AssessmentAI

Exploitation Exploitation requires a realm with the OAuth2 Provider service enabled (exposes the vulnerable stateful token-read path) AND a primitive that writes attacker-controlled JSON into the shared Core Token Store under an identifier the attacker knows. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was supplied by NVD or the vendor, so quantitative signals (CVSS, EPSS) and CISA KEV status are all absent; there is no evidence of active exploitation and no public PoC at time of analysis. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario In an OpenAM realm with both the OAuth2 Provider and Push Notification services enabled, an attacker performs one legitimate Push registration and then abuses the anonymous Push SNS callback handler to write attacker-controlled JSON into the shared CTS under an identifier they know. The attacker then calls the stateful OAuth2 token-read path with that identifier; OpenAM trusts the self-declared OAuth claims and returns a forged bearer/OIDC token with an arbitrary userName, clientID, realm, and scope, which the attacker presents to downstream relying applications to impersonate any user. …
Remediation Vendor-released patch: 16.1.1 - upgrade OpenAM Community Edition to 16.1.1 or later, which also bundles numerous other dependency CVE fixes; this is the primary and recommended remediation (release: https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1, advisory: https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-cj8f-2fhf-826r). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all OpenAM instances running version 16.0.6 or earlier and assess exposure to Core Token Store write access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46498 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy