CVE-2026-33439
Received Received - Intake
Pre-Auth Java Deserialization RCE in OpenAM Before

Publication date: 2026-04-07

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33439
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openidentityplatform openam to 16.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects OpenIdentityPlatform OpenAM versions prior to 16.0.6. It is a pre-authentication Remote Code Execution (RCE) flaw caused by unsafe Java deserialization of the jato.clientSession HTTP parameter. An attacker can send a specially crafted serialized Java object to the jato.clientSession parameter in a GET or POST request to any JATO ViewBean endpoint containing <jato:form> tags, such as Password Reset pages. This allows the attacker to execute arbitrary commands on the server without authentication. The vulnerability bypasses previous mitigations applied to a similar parameter (jato.pageSession) after CVE-2021-35464. The issue is fixed in version 16.0.6.

Impact Analysis

This vulnerability can have severe impacts because it allows an unauthenticated attacker to execute arbitrary code on the affected server remotely. This could lead to full system compromise, unauthorized access to sensitive data, disruption of services, installation of malware, or use of the compromised server as a pivot point for further attacks within the network.

Mitigation Strategies

The vulnerability is fixed in OpenIdentityPlatform OpenAM version 16.0.6. Immediate mitigation involves upgrading to version 16.0.6 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33439. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart