Skip to main content

OpenAM CVE-2026-47424

HIGH
Protection Mechanism Failure (CWE-693)
2026-06-29 https://github.com/OpenIdentityPlatform/OpenAM GHSA-69j4-qvqr-hpw3
Share

Severity by source

vuln.today AI
9.9 CRITICAL

Network-reachable console with low-privilege script-author auth (PR:L) and no user interaction; sandbox escape crosses realm-to-host trust boundary (S:C) yielding full OS command execution (C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 18:21 vuln.today

DescriptionCVE.org

Summary

Description

A Protection Mechanism Failure (CWE-693) in OpenAM's server-side scripting sandbox allows an authenticated script author execute operating-system commands from the OpenAM JVM with the default class allow and deny lists. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.

Impact

An authenticated user (for example, a realm admin) who can create or edit server-side scripts for an executed context can run OS commands as the OpenAM application server admin. For a sub-realm RealmAdmin, this crosses the documented boundary from realm-scoped administration to JVM/host execution, effectively compromising the whole OpenAM process and every realm it serves. The sandbox is the only code-level defense between a realm script author and arbitrary JVM/OS execution.

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

AnalysisAI

Authenticated remote code execution in Open Identity Platform OpenAM Community Edition through 16.0.6 lets any user able to author or edit server-side scripts escape the scripting sandbox and run OS commands as the OpenAM application-server account. Because the sandbox's default class allow/deny lists fail to contain script execution, a sub-realm RealmAdmin can pivot from realm-scoped administration to full JVM/host compromise, affecting every realm the process serves. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain realm/sub-realm admin credentials
Delivery
Create or edit server-side script
Exploit
Reach process-spawning class past sandbox
Execution
Execute OS commands as OpenAM account
Impact
Compromise JVM host and all realms

Vulnerability AssessmentAI

Exploitation Requires an authenticated account with privileges to create or edit server-side scripts in an executable scripting context (for example a realm or sub-realm administrator / RealmAdmin role) on OpenAM Community Edition 16.0.6 or earlier running the default class allow and deny lists. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score was supplied, and the CVE is not listed in CISA KEV, so quantitative exploitation signals are absent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A delegated sub-realm RealmAdmin (or an attacker who has phished or compromised such an account) logs into the OpenAM console, creates or edits a server-side script in an executed context, and includes code that reaches a process-spawning class the sandbox should have blocked. When the script runs, it executes attacker-chosen OS commands as the OpenAM server account, giving the attacker a host-level foothold across all realms. …
Remediation Vendor-released patch: upgrade to OpenAM Community Edition 16.1.1 or later, which corrects the sandbox class allow/deny enforcement, as described in advisory GHSA-69j4-qvqr-hpw3 (https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-69j4-qvqr-hpw3). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all OpenAM Community Edition deployments and versions in use; enumerate which users hold RealmAdmin privileges across all realms. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy