Skip to main content

OpenAM CVE-2026-46619

HIGH
LDAP Injection (CWE-90)
2026-06-26 https://github.com/OpenIdentityPlatform/OpenAM GHSA-xq73-fvmr-jvmm
Share

Severity by source

vuln.today AI
9.1 CRITICAL

Advisory states unauthenticated remote password-less bypass (AV:N/PR:N/UI:N), default allow-all gateway keeps it low-complexity (AC:L), yielding full account impersonation (C:H/I:H) with no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 26, 2026 - 18:15 vuln.today
Analysis Generated
Jun 26, 2026 - 18:15 vuln.today

DescriptionCVE.org

Summary

Description

An LDAP Injection (CWE-90) vulnerability in the MSISDN authentication module allows an unauthenticated, remote attacker to obtain an arbitrary OpenAM session without a password in the default trusted gateway configuration. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.

Impact

OpenAM deployments through version 16.0.6 that have MSISDN enabled are potentially affected. This enables a pre-authentication login bypass for any realm where an MSISDN module instance is enabled in an authentication chain and reachable through the trusted-gateway list, which allows all traffic by default. The request-supplied MSISDN value was concatenated directly into an LDAP search filter. The resulting OpenAM session is a normal authenticated session for the matched user.

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

AnalysisAI

Pre-authentication login bypass in OpenAM Community Edition through 16.0.6 lets an unauthenticated remote attacker mint a valid OpenAM session for an arbitrary user without supplying a password. The MSISDN authentication module concatenates a request-supplied MSISDN value directly into an LDAP search filter (CWE-90), and because the default trusted-gateway list permits all traffic, any realm with an MSISDN module in its authentication chain is reachable and exploitable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach realm login with MSISDN module
Delivery
Submit crafted MSISDN with LDAP metacharacters
Exploit
Injected filter matches target user
Execution
OpenAM issues authenticated session
Impact
Impersonate account access protected resources

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target realm have an MSISDN authentication module instance enabled within one of its authentication chains and that the request path be reachable through the trusted-gateway list - which, by default, allows all traffic, so no gateway restriction blocks the attacker out of the box. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was provided in the input, so attack metrics are inferred from the advisory text rather than confirmed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an OpenAM realm whose authentication chain includes the MSISDN module sends a login request carrying a crafted MSISDN value containing LDAP filter metacharacters (for example a wildcard) instead of a real subscriber number. The injected filter matches a chosen or privileged directory user, and OpenAM returns a fully authenticated session for that account with no password ever supplied. …
Remediation Vendor-released patch: 16.1.1 - upgrade OpenAM Community Edition to 16.1.1 or later, as cited in advisory GHSA-xq73-fvmr-jvmm (https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-xq73-fvmr-jvmm). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all OpenAM Community Edition instances and determine if MSISDN authentication module is active in any realm. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in LDAP

View all
CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2017-14596 CRITICAL POC
9.8 Sep 20

In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,

CVE-2017-8790 CRITICAL POC
9.8 May 05

An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2020-36966 MEDIUM POC
6.4 Jan 30

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at

CVE-2025-36556 MEDIUM POC
6.1 Jan 20

A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6

CVE-2026-23906 CRITICAL
9.8 Feb 10

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p

CVE-2026-44930 CRITICAL
9.8 May 22

Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)

CVE-2024-33868 CRITICAL
9.8 May 14

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-6905 CRITICAL
9.8 Dec 18

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i

CVE-2021-43350 CRITICAL
9.8 Nov 11

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P

CVE-2026-21880 MEDIUM POC
5.3 Jan 08

Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au

Share

CVE-2026-46619 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy