CVE-2026-33439: Pre-Authentication Remote Code Execution in OpenAM via JATO clientSession Deserialization
Vulnerability ID: CVE-2026-33439
CVSS Score: 9.3
Published: 2026-04-07
OpenIdentityPlatform OpenAM is vulnerable to an unauthenticated Remote Code Execution flaw. The vulnerability resides in the JATO framework integration, where the jato.clientSession parameter undergoes insecure Java deserialization. An attacker can supply a crafted serialized object to any JATO ViewBean endpoint to execute arbitrary system commands.
TL;DR
Unsafe Java deserialization in OpenAM's jato.clientSession parameter allows unauthenticated remote code execution, bypassing previous CVE-2021-35464 mitigations. Administrators must upgrade to version 16.0.6 immediately.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-502
- Attack Vector: Network / HTTP
- CVSS v4.0 Score: 9.3 (Critical)
- EPSS Score: 0.101%
- Impact: Pre-Authentication Remote Code Execution
- Exploit Status: Proof-of-Concept Available
Affected Systems
- OpenIdentityPlatform OpenAM
-
OpenAM: < 16.0.6 (Fixed in:
16.0.6)
Code Analysis
Commit: 014007c
Replaced vulnerable ApplicationObjectInputStream instantiation with strict IOUtils.deserialise whitelist filter.
Mitigation Strategies
- Upgrade OpenIdentityPlatform OpenAM to version 16.0.6 or later
- Deploy WAF rules to block Base64-encoded serialized objects (rO0AB) in the jato.clientSession parameter
- Implement a global JEP 290 deserialization filter at the JVM level
Remediation Steps:
- Download the OpenAM 16.0.6 release from the official repository.
- Backup the existing OpenAM deployment and database configurations.
- Deploy the updated OpenAM WAR file to the application server.
- Restart the application server container (e.g., Tomcat, JBoss).
- Review application logs to verify the correct initialization of the updated components.
References
- GitHub Security Advisory: GHSA-2cqq-rpvq-g5qj
- NVD Record for CVE-2026-33439
- Fix Commit in OpenAM
- OpenAM 16.0.6 Release Notes
- Related Research (CVE-2021-35464)
Read the full report for CVE-2026-33439 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)