OpenAM CVE-2026-47426
HIGHSeverity by source
Network token endpoint (AV:N), no special complexity (AC:L); attacker needs a registered client so PR:L; impersonation across other clients/realms is a scope change (S:C) with high confidentiality and integrity impact, no availability effect.
Lifecycle Timeline
1DescriptionCVE.org
Summary
Description
An Improper Authentication (CWE-287) issue in OpenAM's OAuth2 private_key_jwt client authentication path allows any registered OAuth2 client to mint tokens in the name of any other client whose key is published via a jwks_uri, without knowing the victim's signing key. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.
Impact
OpenAM Community Edition deployments through version 16.0.6 that have OAuth2 clients configured for private_key_jwt authentication with keys published via jwks_uri are potentially affected. An attacker holding any such client registration, their own, or one obtained through open dynamic client registration where enabled, can mint access tokens in any other such client's name, in any realm hosted by the OpenAM process.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
AnalysisAI
Cross-client token impersonation in OpenAM Community Edition (Open Identity Platform fork) through 16.0.6 allows any registered OAuth2 client to forge private_key_jwt client assertions and mint access tokens in the name of any other client that publishes its keys via a jwks_uri, with no knowledge of the victim's signing key. The flaw, rooted in improper authentication (CWE-287) in the OAuth2 token endpoint, lets an attacker holding any client registration impersonate other clients across every realm hosted by the OpenAM process. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the OpenAM deployment have OAuth2 clients configured for private_key_jwt client authentication with their keys published via a remote jwks_uri - this exact configuration is the necessary precondition; deployments not using private_key_jwt-with-jwks_uri are not exploitable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector, EPSS score, KEV entry, or public POC was provided, so quantitative exploitation-likelihood signals are absent and must be inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains a legitimate OAuth2 client registration in the OpenAM deployment - using their own registered client, or self-registering one where open dynamic client registration is enabled - then crafts a private_key_jwt client assertion impersonating a privileged victim client whose key is published via jwks_uri. They present it to the token endpoint and receive access tokens issued in the victim client's name in any realm on that OpenAM process, gaining whatever access the victim client is authorized for. … |
| Remediation | Vendor-released patch: 16.1.1 - upgrade OpenAM Community Edition to 16.1.1 or later, per the GitHub Security Advisory GHSA-f2cx-463q-7m2c (https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-f2cx-463q-7m2c). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all OpenAM Community Edition deployments and document current versions; audit registered OAuth2 clients and review recent token issuance logs for anomalies. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-f2cx-463q-7m2c