OpenAM CVE-2026-48717
MEDIUMSeverity by source
Network vector for public clients needing no auth (PR:N); AC:H for required code interception; UI:R as victim must initiate flow; C:H for token theft, I:L for potential scope-dependent writes, A:N.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
1DescriptionCVE.org
Summary
Description
An Improper Authorization (CWE-285) issue in OpenAM's OAuth2 authorization-code grant allows a PKCE-protected authorization code to be redeemed without the required code_verifier. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.
The authorize endpoint stores a code_challenge on the issued code, but the token endpoint only requires a code_verifier when the realm-wide codeVerifierEnforced setting is enabled, which ships disabled by default. With that setting off, the stored challenge is checked only if the caller supplies a verifier, so omitting the parameter skips PKCE verification entirely.
Impact
OpenAM Community Edition deployments through version 16.0.6 using the default OAuth2 provider configuration are potentially affected. For public clients, an attacker who intercepts an authorization code can exchange it for tokens without knowing the verifier. For confidential clients, the attacker additionally needs client authentication material or an execution context that can redeem the code. A token request supplying an incorrect verifier is still rejected. The bypass is specifically the missing-parameter path.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
AnalysisAI
PKCE bypass in OpenAM Community Edition through 16.0.6 allows an attacker who intercepts an OAuth2 authorization code to exchange it for tokens without supplying the required code_verifier. The token endpoint only enforces PKCE verification when the realm-wide codeVerifierEnforced setting is explicitly enabled - a setting that ships disabled by default - meaning omitting the code_verifier parameter silently skips the challenge check entirely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the OpenAM realm's codeVerifierEnforced setting is disabled, which is the default configuration shipped with OpenAM Community Edition - meaning most unmodified deployments are in the vulnerable state. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No NVD CVSS vector is provided in the source data, so severity is based on independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a public client OAuth2 flow - for example via a malicious redirect_uri registration, a MITM on an insecure redirect, or an open-redirect chain - intercepts a victim's single-use authorization code. The attacker then sends a standard token endpoint request including the stolen code but omitting the code_verifier parameter entirely. … |
| Remediation | Upgrade to OpenAM Community Edition 16.1.1, which patches this issue per the upstream GitHub advisory at https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-4v2w-2wqp-mc85. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4v2w-2wqp-mc85