Skip to main content

OpenAM CVE-2026-47426

HIGH
Improper Authentication (CWE-287)
2026-06-29 https://github.com/OpenIdentityPlatform/OpenAM GHSA-f2cx-463q-7m2c
Share

Severity by source

vuln.today AI
9.6 CRITICAL

Network token endpoint (AV:N), no special complexity (AC:L); attacker needs a registered client so PR:L; impersonation across other clients/realms is a scope change (S:C) with high confidentiality and integrity impact, no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 18:20 vuln.today

DescriptionCVE.org

Summary

Description

An Improper Authentication (CWE-287) issue in OpenAM's OAuth2 private_key_jwt client authentication path allows any registered OAuth2 client to mint tokens in the name of any other client whose key is published via a jwks_uri, without knowing the victim's signing key. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.

Impact

OpenAM Community Edition deployments through version 16.0.6 that have OAuth2 clients configured for private_key_jwt authentication with keys published via jwks_uri are potentially affected. An attacker holding any such client registration, their own, or one obtained through open dynamic client registration where enabled, can mint access tokens in any other such client's name, in any realm hosted by the OpenAM process.

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

AnalysisAI

Cross-client token impersonation in OpenAM Community Edition (Open Identity Platform fork) through 16.0.6 allows any registered OAuth2 client to forge private_key_jwt client assertions and mint access tokens in the name of any other client that publishes its keys via a jwks_uri, with no knowledge of the victim's signing key. The flaw, rooted in improper authentication (CWE-287) in the OAuth2 token endpoint, lets an attacker holding any client registration impersonate other clients across every realm hosted by the OpenAM process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or self-register an OAuth2 client
Delivery
Forge private_key_jwt assertion as victim client
Exploit
Submit assertion to token endpoint
Execution
Server validates against victim jwks_uri
Persist
Receive tokens in victim's name
Impact
Access resources across realms

Vulnerability AssessmentAI

Exploitation Exploitation requires that the OpenAM deployment have OAuth2 clients configured for private_key_jwt client authentication with their keys published via a remote jwks_uri - this exact configuration is the necessary precondition; deployments not using private_key_jwt-with-jwks_uri are not exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector, EPSS score, KEV entry, or public POC was provided, so quantitative exploitation-likelihood signals are absent and must be inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains a legitimate OAuth2 client registration in the OpenAM deployment - using their own registered client, or self-registering one where open dynamic client registration is enabled - then crafts a private_key_jwt client assertion impersonating a privileged victim client whose key is published via jwks_uri. They present it to the token endpoint and receive access tokens issued in the victim client's name in any realm on that OpenAM process, gaining whatever access the victim client is authorized for. …
Remediation Vendor-released patch: 16.1.1 - upgrade OpenAM Community Edition to 16.1.1 or later, per the GitHub Security Advisory GHSA-f2cx-463q-7m2c (https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-f2cx-463q-7m2c). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all OpenAM Community Edition deployments and document current versions; audit registered OAuth2 clients and review recent token issuance logs for anomalies. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47426 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy