Skip to content

Commit 3732ee0

Browse files
1 parent 8b24e7f commit 3732ee0

1 file changed

Lines changed: 61 additions & 0 deletions

File tree

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-cj8f-2fhf-826r",
4+
"modified": "2026-06-25T17:07:58Z",
5+
"published": "2026-06-25T17:07:58Z",
6+
"aliases": [
7+
"CVE-2026-46498"
8+
],
9+
"summary": "OpenAM Arbitrary OAuth Token Minting via Push Registration",
10+
"details": "## Summary\n\n**Description**\n\nAn Authorization Bypass Through User-Controlled Key (CWE-639) exists in OpenAM's stateful OAuth2 token-read path. Under certain conditions, this may allow an attacker to forge OAuth2 bearer tokens and OIDC ID tokens with arbitrary subject, client, realm, and scope. This affects OpenAM Community Edition through version 16.0.6.\n\nThe OAuth2 token-read path reads caller-supplied token identifiers from the shared Core Token Store (CTS) without placing them in an OAuth-only namespace and without binding the row's trusted CTS type to the expected OAuth token family, so any CTS row whose BLOB claims to be an OAuth token is accepted on the read path with no integrity check.\n\n## Impact\n\nOpenAM Community Edition deployments through version 16.0.6 with the OAuth2 Provider service enabled in a realm are potentially affected, but the vulnerable read path is only reachable once an attacker can place attacker-controlled JSON into the shared CTS under an identifier they know. For example, an anonymous Push Notification SNS callback handler, reachable by any low-privileged user in a Push Notification-enabled realm after a single legitimate Push registration can trigger the exploit.\n\nIn any deployment where such a primitive exists, an attacker can forge OAuth2 bearer tokens with attacker-chosen userName, clientID, realm, and scope. The compromise does not by itself create an OpenAM SSO session or grant admin-console access.\n\n## Patch\n\nThis has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "org.openidentityplatform.openam:openam-oauth2"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "16.1.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-cj8f-2fhf-826r"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/OpenIdentityPlatform/OpenAM"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-639"
55+
],
56+
"severity": "HIGH",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-06-25T17:07:58Z",
59+
"nvd_published_at": null
60+
}
61+
}

0 commit comments

Comments
 (0)