OpenAM CVE-2026-46623
HIGHSeverity by source
Remote unauthenticated against a public endpoint (AV:N/PR:N/UI:N); AC:H because exploitation depends on the victim having completed prerequisite OAuth2 logins outside attacker control; full account takeover gives C:H/I:H, no direct availability loss.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
Summary
Description
An Unverified Password Change (CWE-620) and Use of Weak Credentials (CWE-1391) issue in OpenAM's OAuth2 authentication module silently rewrites a local user's password to the literal string of their username on OAuth2 re-login of an existing account. The default ldapService chain then accepts the username as the password for that user, allowing an unauthenticated attacker to obtain a session via the standard authenticate endpoint with both username and password set to the username, without any IdP interaction. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.
Impact
OpenAM Community Edition deployments through version 16.0.6 that use the OAuth2 authentication module with account creation enabled (the default) are potentially affected. After two OAuth logins of a given user, that user's local password becomes their username, and the account is reachable through the default ldapService chain with username as both identifier and password. For pre-existing users whose IdP profile resolves against an existing local identifier, the rewrite fires on the very first re-login.
Usernames shorter than the default minimum password length have the rewrite silently denied (so very short administrative accounts are not affected), and the same update path marks accounts active on every OAuth login, silently reactivating disabled accounts.
Successful exploitation grants an unauthenticated attacker a session carrying the victim principal's privileges.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
AnalysisAI
Authentication bypass and account takeover in OpenAM Community Edition (OpenIdentity Platform) through 16.0.6 allows unauthenticated attackers to log in as any user who has authenticated via the OAuth2 module. The OAuth2 module silently rewrites a local user's password to the literal value of their own username, after which the default ldapService chain accepts the username as both identifier and password at the standard authenticate endpoint - no IdP interaction needed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the OpenAM OAuth2 authentication module to be enabled with account creation on (the default) and the default ldapService chain in use. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS or EPSS was supplied by any source, and the CVE is not in CISA KEV, so exploitation-probability signals are absent and must be reasoned from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates or already knows the username of a victim who uses OAuth2/social login on an OpenAM-protected service. After the victim's normal OAuth2 logins have triggered the silent password rewrite, the attacker simply POSTs to OpenAM's standard authenticate endpoint with both the username and password fields set to that username and receives a valid session bearing the victim's privileges - with no IdP interaction and no credential theft. … |
| Remediation | Vendor-released patch: upgrade to OpenAM Community Edition 16.1.1 or later, which corrects the OAuth2 module's password-rewrite behavior - this is the primary and authoritative fix per advisory GHSA-gf57-4mp6-m85x (https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-gf57-4mp6-m85x). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OpenAM instances running version 16.0.6 or earlier with OAuth2 module enabled; disable OAuth2 if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-620 – Unverified Password Change
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-gf57-4mp6-m85x