Skip to main content

OpenAM CVE-2026-48717

MEDIUM
Improper Authorization (CWE-285)
2026-06-29 https://github.com/OpenIdentityPlatform/OpenAM GHSA-4v2w-2wqp-mc85
Share

Severity by source

vuln.today AI
5.9 MEDIUM

Network vector for public clients needing no auth (PR:N); AC:H for required code interception; UI:R as victim must initiate flow; C:H for token theft, I:L for potential scope-dependent writes, A:N.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 18:21 vuln.today

DescriptionCVE.org

Summary

Description

An Improper Authorization (CWE-285) issue in OpenAM's OAuth2 authorization-code grant allows a PKCE-protected authorization code to be redeemed without the required code_verifier. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.

The authorize endpoint stores a code_challenge on the issued code, but the token endpoint only requires a code_verifier when the realm-wide codeVerifierEnforced setting is enabled, which ships disabled by default. With that setting off, the stored challenge is checked only if the caller supplies a verifier, so omitting the parameter skips PKCE verification entirely.

Impact

OpenAM Community Edition deployments through version 16.0.6 using the default OAuth2 provider configuration are potentially affected. For public clients, an attacker who intercepts an authorization code can exchange it for tokens without knowing the verifier. For confidential clients, the attacker additionally needs client authentication material or an execution context that can redeem the code. A token request supplying an incorrect verifier is still rejected. The bypass is specifically the missing-parameter path.

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

AnalysisAI

PKCE bypass in OpenAM Community Edition through 16.0.6 allows an attacker who intercepts an OAuth2 authorization code to exchange it for tokens without supplying the required code_verifier. The token endpoint only enforces PKCE verification when the realm-wide codeVerifierEnforced setting is explicitly enabled - a setting that ships disabled by default - meaning omitting the code_verifier parameter silently skips the challenge check entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Victim initiates OAuth2 authorization code flow
Delivery
Attacker intercepts issued authorization code
Exploit
Craft token request omitting code_verifier
Execution
Token endpoint skips PKCE check (default config)
Persist
Receive valid access and refresh tokens
Impact
Access victim's protected resources

Vulnerability AssessmentAI

Exploitation Exploitation requires that the OpenAM realm's codeVerifierEnforced setting is disabled, which is the default configuration shipped with OpenAM Community Edition - meaning most unmodified deployments are in the vulnerable state. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No NVD CVSS vector is provided in the source data, so severity is based on independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a public client OAuth2 flow - for example via a malicious redirect_uri registration, a MITM on an insecure redirect, or an open-redirect chain - intercepts a victim's single-use authorization code. The attacker then sends a standard token endpoint request including the stolen code but omitting the code_verifier parameter entirely. …
Remediation Upgrade to OpenAM Community Edition 16.1.1, which patches this issue per the upstream GitHub advisory at https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-4v2w-2wqp-mc85. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48717 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy