OpenAM Vulnerabilities Disclose Session Credentials

EXECUTIVE SUMMARY:

Two vulnerabilities have been identified in OpenAM Community Edition (OpenAM). The flaws span information exposure that enables unauthenticated session hijacking through the CDSSO servlet and an authenticated privilege escalation issue where low-privilege users can retrieve raw session tokens belonging to other accounts. Both weaknesses stem from inadequate authorization and token handling, allowing attackers to capture valid session credentials or impersonate privileged users. Exploitation can lead to unauthorized access to sensitive resources, lateral movement across services, and potential administrative control of the identity platform, posing significant operational and compliance risks.[emaillocker id="1283"]

CVE-2026-45049 with a CVSS score of 8.3 – An information exposure flaw in the CDSSO servlet leaks a logged‑in user's raw session token to an attacker‑controlled URL; exploitation requires convincing a victim to visit a crafted link, after which the attacker can capture the token and hijack the session.

CVE-2026-45048 with a CVSS score of 8.5 – An insufficient authorization vulnerability in the session management endpoint allows a low‑privilege authenticated user to query active session data of arbitrary users, including privileged accounts, provided the attacker knows the target user identifier.

RECOMMENDATION:

• We recommend you to update org.openidentityplatform.openam:openam-federation and org.openidentityplatform.openam:openam-core to version 16.1.1 or later.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-r9pv-5rpp-vm8g
https://github.com/advisories/GHSA-vvhj-w2jq-263q