OpenAM CVE-2026-46498
HIGHSeverity by source
Network-reachable but gated by a non-default CTS write primitive and prior Push registration (AC:H, PR:L); token forgery impacts relying parties beyond OpenAM (S:C) with high confidentiality/integrity but no availability effect.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
Summary
Description
An Authorization Bypass Through User-Controlled Key (CWE-639) exists in OpenAM's stateful OAuth2 token-read path. Under certain conditions, this may allow an attacker to forge OAuth2 bearer tokens and OIDC ID tokens with arbitrary subject, client, realm, and scope. This affects OpenAM Community Edition through version 16.0.6.
The OAuth2 token-read path reads caller-supplied token identifiers from the shared Core Token Store (CTS) without placing them in an OAuth-only namespace and without binding the row's trusted CTS type to the expected OAuth token family, so any CTS row whose BLOB claims to be an OAuth token is accepted on the read path with no integrity check.
Impact
OpenAM Community Edition deployments through version 16.0.6 with the OAuth2 Provider service enabled in a realm are potentially affected, but the vulnerable read path is only reachable once an attacker can place attacker-controlled JSON into the shared CTS under an identifier they know. For example, an anonymous Push Notification SNS callback handler, reachable by any low-privileged user in a Push Notification-enabled realm after a single legitimate Push registration can trigger the exploit.
In any deployment where such a primitive exists, an attacker can forge OAuth2 bearer tokens with attacker-chosen userName, clientID, realm, and scope. The compromise does not by itself create an OpenAM SSO session or grant admin-console access.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
AnalysisAI
OAuth2/OIDC token forgery in OpenIdentity Platform's OpenAM Community Edition (through 16.0.6) lets an attacker mint OAuth2 bearer tokens and OIDC ID tokens with arbitrary subject (userName), clientID, realm, and scope by abusing the stateful token-read path's failure to namespace and type-check Core Token Store (CTS) rows. The flaw is an Authorization Bypass Through User-Controlled Key (CWE-639): any CTS row whose BLOB merely claims to be an OAuth token is trusted on read with no integrity check, so an attacker who can write attacker-controlled JSON to CTS under a known identifier can impersonate any user or client. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a realm with the OAuth2 Provider service enabled (exposes the vulnerable stateful token-read path) AND a primitive that writes attacker-controlled JSON into the shared Core Token Store under an identifier the attacker knows. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or vector was supplied by NVD or the vendor, so quantitative signals (CVSS, EPSS) and CISA KEV status are all absent; there is no evidence of active exploitation and no public PoC at time of analysis. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | In an OpenAM realm with both the OAuth2 Provider and Push Notification services enabled, an attacker performs one legitimate Push registration and then abuses the anonymous Push SNS callback handler to write attacker-controlled JSON into the shared CTS under an identifier they know. The attacker then calls the stateful OAuth2 token-read path with that identifier; OpenAM trusts the self-declared OAuth claims and returns a forged bearer/OIDC token with an arbitrary userName, clientID, realm, and scope, which the attacker presents to downstream relying applications to impersonate any user. … |
| Remediation | Vendor-released patch: 16.1.1 - upgrade OpenAM Community Edition to 16.1.1 or later, which also bundles numerous other dependency CVE fixes; this is the primary and recommended remediation (release: https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1, advisory: https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-cj8f-2fhf-826r). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all OpenAM instances running version 16.0.6 or earlier and assess exposure to Core Token Store write access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-cj8f-2fhf-826r