CVE-2026-33439
Pre-Auth Java Deserialization RCE in OpenAM Before
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openidentityplatform | openam | to 16.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects OpenIdentityPlatform OpenAM versions prior to 16.0.6. It is a pre-authentication Remote Code Execution (RCE) flaw caused by unsafe Java deserialization of the jato.clientSession HTTP parameter. An attacker can send a specially crafted serialized Java object to the jato.clientSession parameter in a GET or POST request to any JATO ViewBean endpoint containing <jato:form> tags, such as Password Reset pages. This allows the attacker to execute arbitrary commands on the server without authentication. The vulnerability bypasses previous mitigations applied to a similar parameter (jato.pageSession) after CVE-2021-35464. The issue is fixed in version 16.0.6.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an unauthenticated attacker to execute arbitrary code on the affected server remotely. This could lead to full system compromise, unauthorized access to sensitive data, disruption of services, installation of malware, or use of the compromised server as a pivot point for further attacks within the network.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in OpenIdentityPlatform OpenAM version 16.0.6. Immediate mitigation involves upgrading to version 16.0.6 or later.