Threat Advisory

OpenAM OAuth Vulnerability Enables Token Forgery

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in OpenAM Community Edition versions prior to 16.1.1. These critical flaws expose the platform to authentication bypass, arbitrary OAuth token minting, and unsafe deserialization threats within the RADIUS, OAuth2, and Push Notification modules. Successful exploitation could allow unauthenticated remote attackers to impersonate any user, forge valid access tokens, or potentially execute arbitrary code depending on the deployment classpath. These vulnerabilities pose a severe risk to the integrity of identity management infrastructure, potentially leading to unauthorized access to sensitive applications and full compromise of user sessions.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in OpenAM Community Edition versions prior to 16.1.1. These critical flaws expose the platform to authentication bypass, arbitrary OAuth token minting, and unsafe deserialization threats within the RADIUS, OAuth2, and Push Notification modules. Successful exploitation could allow unauthenticated remote attackers to impersonate any user, forge valid access tokens, or potentially execute arbitrary code depending on the deployment classpath. These vulnerabilities pose a severe risk to the integrity of identity management infrastructure, potentially leading to unauthorized access to sensitive applications and full compromise of user sessions.[emaillocker id="1283"]

  • CVE-2026-46560 with a CVSS score of 7.5 – This vulnerability allows an unauthenticated network attacker to bypass authentication by spoofing an Access-Accept response in the RADIUS module without verifying the cryptographic signature. Attackers can race the legitimate server or spray forged packets to impersonate any RADIUS username and establish a session with that user's privileges.
  • CVE-2026-46498 with a CVSS score of 7.1 – This flaw enables an attacker to forge arbitrary OAuth2 bearer tokens and OIDC ID tokens due to insufficient validation in the token-read path. Exploitation requires planting attacker-controlled JSON into the shared Core Token Store, which can be triggered by a low-privileged user in a Push Notification-enabled realm.
  • CVE-2026-45794 with a CVSS score of 7.7 – This issue involves unsafe Java deserialization in the Push Notification SNS callback resource, allowing an attacker to load arbitrary classes and construct them with controlled values. This primitive can lead to remote process execution, file writes, or denial of service depending on the specific classpath and environment configuration.

These high-severity vulnerabilities present a critical risk to organizations relying on OpenAM for identity and access management, as they facilitate complete account takeover and potential system compromise. The relative ease of exploiting the authentication bypass and token minting flaws significantly increases the threat of unauthorized access to corporate resources. Immediate attention is required to prevent threat actors from leveraging these weaknesses to move laterally within the network or exfiltrate sensitive data.

RECOMMENDATION:

  • We recommend you to update OpenAM Community Edition to version 16.1.1.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-386j-6m86-78f9
https://github.com/advisories/GHSA-cj8f-2fhf-826r
https://github.com/advisories/GHSA-pp89-732f-3g8q

[/emaillocker]
crossmenu