Threat Advisory

OpenAM Vulnerability Exposes Reflected XSS Flaw

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in OpenIdentityPlatform OpenAM affecting versions ranging from 13.0.0 to 16.0.6. These vulnerabilities include a critical reflected cross-site scripting (XSS) flaw in the OAuth2 and OIDC endpoints and a high-severity LDAP injection issue within the REST API layer. Exploitation of these security weaknesses could allow malicious actors to execute arbitrary code or manipulate database queries, leading to unauthorized access and data exfiltration. The impact on business operations is severe, potentially compromising the confidentiality and integrity of identity management systems and exposing sensitive user credentials to attackers.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in OpenIdentityPlatform OpenAM affecting versions ranging from 13.0.0 to 16.0.6. These vulnerabilities include a critical reflected cross-site scripting (XSS) flaw in the OAuth2 and OIDC endpoints and a high-severity LDAP injection issue within the REST API layer. Exploitation of these security weaknesses could allow malicious actors to execute arbitrary code or manipulate database queries, leading to unauthorized access and data exfiltration. The impact on business operations is severe, potentially compromising the confidentiality and integrity of identity management systems and exposing sensitive user credentials to attackers.[emaillocker id="1283"]

  • CVE-2026-44203 with a CVSS score of 9.3 – This is a pre-authentication reflected XSS vulnerability in the OAuth2/OIDC form_post response mode where the state parameter is not sufficiently sanitized before being rendered in the HTML response. Attackers can exploit this by sending a crafted link to a victim, requiring user interaction to execute arbitrary scripts in the context of the OpenAM origin.
    • CVE-2026-41573 with a CVSS score of 8.7 – This vulnerability allows LDAP injection via the _queryId parameter in the CREST REST API endpoints, bypassing previous escape protections. An authenticated attacker can exploit this flaw by injecting arbitrary LDAP metacharacters to perform user enumeration and blind LDAP injection attacks against the backend directory.

These vulnerabilities pose a critical risk to the organization's identity infrastructure, requiring immediate attention to prevent potential security breaches. Successful exploitation could result in severe operational disruption, data theft, and long-term reputational damage due to compromised user accounts. Organizations must prioritize assessing their exposure to these flaws to protect sensitive authentication data and maintain system availability.

RECOMMENDATION:

  • We recommend you to update OpenAM to version 16.1.1.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-2vg8-q4c2-5cw3
https://github.com/advisories/GHSA-fq9h-c788-fx73

[/emaillocker]
crossmenu