OpenAM CVE-2026-46619
HIGHSeverity by source
Advisory states unauthenticated remote password-less bypass (AV:N/PR:N/UI:N), default allow-all gateway keeps it low-complexity (AC:L), yielding full account impersonation (C:H/I:H) with no availability impact.
Lifecycle Timeline
2DescriptionCVE.org
Summary
Description
An LDAP Injection (CWE-90) vulnerability in the MSISDN authentication module allows an unauthenticated, remote attacker to obtain an arbitrary OpenAM session without a password in the default trusted gateway configuration. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.
Impact
OpenAM deployments through version 16.0.6 that have MSISDN enabled are potentially affected. This enables a pre-authentication login bypass for any realm where an MSISDN module instance is enabled in an authentication chain and reachable through the trusted-gateway list, which allows all traffic by default. The request-supplied MSISDN value was concatenated directly into an LDAP search filter. The resulting OpenAM session is a normal authenticated session for the matched user.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
AnalysisAI
Pre-authentication login bypass in OpenAM Community Edition through 16.0.6 lets an unauthenticated remote attacker mint a valid OpenAM session for an arbitrary user without supplying a password. The MSISDN authentication module concatenates a request-supplied MSISDN value directly into an LDAP search filter (CWE-90), and because the default trusted-gateway list permits all traffic, any realm with an MSISDN module in its authentication chain is reachable and exploitable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target realm have an MSISDN authentication module instance enabled within one of its authentication chains and that the request path be reachable through the trusted-gateway list - which, by default, allows all traffic, so no gateway restriction blocks the attacker out of the box. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or vector was provided in the input, so attack metrics are inferred from the advisory text rather than confirmed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an OpenAM realm whose authentication chain includes the MSISDN module sends a login request carrying a crafted MSISDN value containing LDAP filter metacharacters (for example a wildcard) instead of a real subscriber number. The injected filter matches a chosen or privileged directory user, and OpenAM returns a fully authenticated session for that account with no password ever supplied. … |
| Remediation | Vendor-released patch: 16.1.1 - upgrade OpenAM Community Edition to 16.1.1 or later, as cited in advisory GHSA-xq73-fvmr-jvmm (https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-xq73-fvmr-jvmm). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all OpenAM Community Edition instances and determine if MSISDN authentication module is active in any realm. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at
A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p
Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P
Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au
Same weakness CWE-90 – LDAP Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xq73-fvmr-jvmm