EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in OpenAM Community Edition up to version 16.0.6. The flaws include an improper authorization weakness that permits unauthenticated actors to write arbitrary entries into the Liberty discovery store, and a Java deserialization issue in the WebAuthn authenticator storage that can lead to remote code execution. Both vulnerabilities bypass normal identity access controls and operate with elevated internal privileges. Exploitation could allow attackers to manipulate discovery data affecting service routing, or execute arbitrary code on the application server, jeopardizing data integrity, confidentiality, and availability across dependent services.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in OpenAM Community Edition up to version 16.0.6. The flaws include an improper authorization weakness that permits unauthenticated actors to write arbitrary entries into the Liberty discovery store, and a Java deserialization issue in the WebAuthn authenticator storage that can lead to remote code execution. Both vulnerabilities bypass normal identity access controls and operate with elevated internal privileges. Exploitation could allow attackers to manipulate discovery data affecting service routing, or execute arbitrary code on the application server, jeopardizing data integrity, confidentiality, and availability across dependent services.[emaillocker id="1283"]
CVE-2026-45052 with a CVSS score of 9.3 – An improper authorization (CWE-285) flaw in OpenAM’s Liberty SOAP endpoint lets an unauthenticated remote attacker write persistent entries to the discovery store and shared root-realm branch, bypassing LDAP and identity ACLs; exploitation requires network access to the endpoint.
CVE-2026-45051 with a CVSS score of 9.2 – A Java deserialization vulnerability in the WebAuthn authentication module permits arbitrary code execution when an attacker can inject malicious data into a writable storage attribute; the attack requires prior ability to write to the attribute and reach the WebAuthn flow.
These vulnerabilities present a high risk of unauthorized data manipulation and server compromise, potentially disrupting authentication services and downstream applications. If exploited, organizations could face loss of data integrity, service outages, and exposure of sensitive information, underscoring the need for immediate attention.
RECOMMENDATION:
We recommend you to update OpenAM Community Edition to version 16.1.1.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-p462-xxwx-pqf4
https://github.com/advisories/GHSA-6c99-87fr-6q7r