9 matches found
CVE-2026-33439
Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...
CVE-2026-33439
Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...
CVE-2026-33439 Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...
CVE-2026-33439
Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...
CVE-2026-33439 Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...
CVE-2026-33439
CVE-2026-33439 : OpenAM/OpenIdentityPlatform before 16.0.6 is vulnerable to pre-authentication remote code execution via unsafe Java deserialization of the jato.clientSession parameter. An unauthenticated attacker can send a crafted serialized Java object to any JATO ViewBean endpoint (e.g., Pass...
EUVD-2026-19941
OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via jato.clientSession Deserialization in OpenAM...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the jato.clientSession HTTP parameter of the deserializeAttributes function. An attacker can execute arbitrary code on the server by sending a crafted serialized Java object to endpoints that process...
OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
Summary OpenIdentityPlatform OpenAM 16.0.5 and likely earlier versions is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the...