CVE-2026-33439

216.73.217.22

· Published 07/04/2026 21:17 · Modified 08/04/2026 21:27

Labels: CVE-2026-33439 2026-04-07 CVE-2026-33439 CWE-502 [email protected]

Essential information

Published: 07/04/2026 21:17
Modified: 08/04/2026 21:27
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
forgerock / openam	`cpe:2.3:a:forgerock:openam::::::::`