Home

Description

Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.

PUBLISHED Reserved 2026-03-19 | Published 2026-04-07 | Updated 2026-04-08 | Assigner GitHub_M




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-502: Deserialization of Untrusted Data

Product status

< 16.0.6
affected

References

github.com/...OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj

cve.org (CVE-2026-33439)

nvd.nist.gov (CVE-2026-33439)

Download JSON