CVE-2026-33439
published 2026-04-07CVE-2026-33439: Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.49%
95.2th percentile
Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openidentityplatform | openam | < 16.0.6 | 16.0.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests (GET and POST) containing the `jato.clientSession` parameter targeting any JATO ViewBean endpoint, especially Password Reset pages, for serialized Java object payloads. ↗
- →Alert on pre-authentication requests carrying `jato.clientSession` parameter values that contain Java serialization magic bytes (0xACED0005), as this indicates an attempted RCE exploit against OpenAM. ↗
- →Note that the existing `WhitelistObjectInputStream` mitigation only covers `jato.pageSession`; `jato.clientSession` is unprotected and should be treated as an untrusted deserialization sink. ↗
- ·The WhitelistObjectInputStream deserialization safeguard was only applied to `jato.pageSession` (post CVE-2021-35464) and does NOT cover `jato.clientSession`, leaving it as an unprotected deserialization entry point in versions prior to 16.0.6. ↗
- ·The vulnerability is exploitable pre-authentication, meaning no valid session or credentials are required to trigger RCE — perimeter controls that rely on authentication state will not block this attack. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
ghsa·2026-04-07·CVSS 9.8
CVE-2026-33439 [CRITICAL] CWE-502 OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
## Summary
OpenIdentityPlatform OpenAM 16.0.5 (and likely earlier versions) is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the `jato.clientSession` HTTP parameter. This bypasses the `WhitelistObjectInputStream` mitigation that was applied to the `jato.pageSession` parameter after CVE-2021-35464.
An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the `jato.clientSession` GET/POST parameter to any JATO ViewBean endpoint whose JSP contains `` tags (e.g., the Password Reset pages).
---
## Vulnerability Details
### Background
CVE-2021-35464
OSV
OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
osv·2026-04-07·CVSS 9.8
CVE-2026-33439 [CRITICAL] OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
## Summary
OpenIdentityPlatform OpenAM 16.0.5 (and likely earlier versions) is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the `jato.clientSession` HTTP parameter. This bypasses the `WhitelistObjectInputStream` mitigation that was applied to the `jato.pageSession` parameter after CVE-2021-35464.
An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the `jato.clientSession` GET/POST parameter to any JATO ViewBean endpoint whose JSP contains `` tags (e.g., the Password Reset pages).
---
## Vulnerability Details
### Background
CVE-2021-35464
No detection rules found.
Nuclei
OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserialization
nuclei·CVSS 9.8
CVE-2026-33439 [CRITICAL] OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserialization
OpenAM tags (e.g., the Password Reset pages).
remediation: Upgrade to OpenAM 16.0.6 or later.
reference:
- https://www.hacktron.ai/blog/openam-deserialization-pre-auth-rce
- https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-33439
epss-score: 0.07964
epss-percentile: 0.92082
cwe-id: CWE-502
metadata:
verified: true
max-request: 2
vendor: openidentityplatform
product: openam
shodan-query: http.title:"OpenAM"
fofa-query: title="OpenAM"
tags: cve,cve2026,openam,deserialization,rce,jato,oast,oob
flow: http(1) && javascript(1)
http:
- method: GET
path:
- "{{BaseURL}}/openam/ui/PWResetUserValidation"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
-
Hackernews
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
blogs_hackernews·2026-05-18·CVSS 6.1
CVE-2026-42897 [MEDIUM] ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted.
The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off.
Patch the quiet risks first. Let’s g
Wiz
CVE-2026-35571 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-35571 [HIGH] CVE-2026-35571 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35571 :
Java vulnerability analysis and mitigation
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0.
Source : NVD
## 4.8
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.5
Exploitation Pro
Wiz
CVE-2026-5795 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-5795 [HIGH] CVE-2026-5795 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5795 :
Java vulnerability analysis and mitigation
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.
Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.
A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.
Source : NVD
## 7.4
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.2
Exploitation Probability (EPSS) N/A
Affected packages an
Wiz
CVE-2026-35581 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-35581 [HIGH] CVE-2026-35581 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35581 :
Java vulnerability analysis and mitigation
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0.
Source : NVD
## 7.2
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.5
Exploitation Probability (EPSS) 0.1
Affe
Wiz
CVE-2026-35583 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-35583 [HIGH] CVE-2026-35583 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35583 :
Java vulnerability analysis and mitigation
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for , /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory. This vulnerability is fixed in 8.39.0.
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitatio
Wiz
CVE-2026-33229 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-33229 [HIGH] CVE-2026-33229 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33229 :
Java vulnerability analysis and mitigation
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
Source : NVD
## 8.6
Score
Published April 8, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Java
Has Pu
Wiz
CVE-2026-37977 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-37977 [HIGH] CVE-2026-37977 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-37977 :
Java vulnerability analysis and mitigation
azp
Access-Control-Allow-Origin
azp
webOrigins: ["*"]
Source : NVD
## 3.7
Score
Published April 6, 2026
Severity LOW
CNA Score 3.7
Affected Technologies
Java
Keycloak
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
keycloak
keycloak-fips
Sources
NVD
Maven Severity LOW No Fix Added at: Apr 09, 2026
MinimOS Severity LOW Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Java vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-5739 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-5739 [HIGH] CVE-2026-5739 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5739 :
Java vulnerability analysis and mitigation
A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 6.9
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.5
Exploitation Probability (EPSS) N/A
Affected packages and librar
Wiz
CVE-2026-33227 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-33227 [MEDIUM] CVE-2026-33227 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33227 :
Java vulnerability analysis and mitigation
Improper validation and restriction of a classpath path name vulnerability in
Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.
In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit.
This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache Active
Wiz
CVE-2026-35580 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-35580 [HIGH] CVE-2026-35580 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35580 :
Java vulnerability analysis and mitigation
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users. This vulnerability is fixed in 8.39.0.
Source : NVD
## 9.1
Score
Published April 7, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3
Exp
Wiz
CVE-2026-5736 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-5736 [HIGH] CVE-2026-5736 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5736 :
Java vulnerability analysis and mitigation
A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java of the component detailPlus Endpoint. The manipulation of the argument customQuery leads to sql injection. Remote exploitation of the attack is possible. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 6.9
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
E
Wiz
CVE-2026-33439 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-33439 [CRITICAL] CVE-2026-33439 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33439 :
Java vulnerability analysis and mitigation
Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains jato:form tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.
Source : NVD
## 9.3
Score
Published April 7
Wiz
GHSA-jx2w-vp7f-456q Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
[CRITICAL] GHSA-jx2w-vp7f-456q Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-jx2w-vp7f-456q :
Java vulnerability analysis and mitigation
## Summary
A path traversal vulnerability was discovered in the quarkus-openapi-generator extension
## Details
unzip()
ApicurioCodegenWrapper.java
new File(toOutputDir, entry.getName())
../../malicious.java
OpenApiGeneratorStreamCodeGen.java
normalize()
startsWith()
## PoC
This vulnerability is exploitable when an attacker controls or can intercept the ZIP archive served by the Apicurio registry. In environments where the registry connection is over an untrusted network or where TLS is not properly configured, exploitation becomes practical. The attack occurs at build/codegen time.
../../proof.txt
Configure quarkus-openapi-generator to use the server (Apicurio) code generation path
Serve the malicious
Wiz
CVE-2026-35568 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-35568 [HIGH] CVE-2026-35568 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35568 :
Java vulnerability analysis and mitigation
MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to 1.0.0, the java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that is either local, or network adjacent. This allows an attacker to make any tool call to the server as if they were a locally running MCP connected AI agent. This vulnerability is fixed in 1.0.0.
Source : NVD
## 7.6
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
2026-04-07
Published