CVE-2021-4201
published 2022-02-14CVE-2021-4201: Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.95%
77.7th percentile
Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | — | — |
| forgerock | access_management | >= 6.5 < 6.5.4 | 6.5.4 |
| forgerock | access_management | >= 7.1 < 7.1.1 | 7.1.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenAM Authenticated Privilege Escalation via Raw Token Disclosure Session RPC
ghsa·2026-06-23·CVSS 9.8
CVE-2026-45048 [CRITICAL] CWE-200 OpenAM Authenticated Privilege Escalation via Raw Token Disclosure Session RPC
OpenAM Authenticated Privilege Escalation via Raw Token Disclosure Session RPC
## Summary
Description
An insufficient authorization (CWE-285) and information exposure (CWE-200) issue in OpenAM's session management endpoint allows a low-privileged authenticated user to retrieve active session credentials belonging to other users, including those with higher privileges. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.
This may be related to CVE-2021-4201, a similar issue patched in ForgeRock Access Management, a separate product sharing a common codebase ancestry.
## Impact
OpenAM Community Edition deployments through version 16.0.6 using stateful session storage and exposing the session management endpoint are potentially affected. The en
GHSA
GHSA-63v3-hpf5-wfmw: Missing access control in ForgeRock Access Management 7
ghsa_unreviewed·2022-02-15
CVE-2021-4201 [CRITICAL] CWE-287 GHSA-63v3-hpf5-wfmw: Missing access control in ForgeRock Access Management 7
Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-14
Published