cbcvebase.
CVE-2026-33439
published 2026-04-07

CVE-2026-33439: Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.49%
95.2th percentile
Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.

Affected

1 ranges
VendorProductVersion rangeFixed in
openidentityplatformopenam< 16.0.616.0.6

Detection & IOCsextracted from sources · hover to see the quote

parameterjato.clientSession
otherjato.clientSession (GET/POST parameter to JATO ViewBean endpoint)
  • Monitor HTTP requests (GET and POST) containing the `jato.clientSession` parameter targeting any JATO ViewBean endpoint, especially Password Reset pages, for serialized Java object payloads.
  • Alert on pre-authentication requests carrying `jato.clientSession` parameter values that contain Java serialization magic bytes (0xACED0005), as this indicates an attempted RCE exploit against OpenAM.
  • Note that the existing `WhitelistObjectInputStream` mitigation only covers `jato.pageSession`; `jato.clientSession` is unprotected and should be treated as an untrusted deserialization sink.
  • ·The WhitelistObjectInputStream deserialization safeguard was only applied to `jato.pageSession` (post CVE-2021-35464) and does NOT cover `jato.clientSession`, leaving it as an unprotected deserialization entry point in versions prior to 16.0.6.
  • ·The vulnerability is exploitable pre-authentication, meaning no valid session or credentials are required to trigger RCE — perimeter controls that rely on authentication state will not block this attack.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.