CVE-2026-33439

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33439

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33439.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-33439

Aliases

GHSA-2cqq-rpvq-g5qj

Published

2026-04-07T20:46:33.739Z

Modified

2026-04-09T11:46:21.097846Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM

Details

Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33439.json",
    "cwe_ids": [
        "CWE-502"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/openidentityplatform/openam

Affected ranges

Type

GIT

Repo

https://github.com/openidentityplatform/openam

Events

Introduced

Fixed

4529f108e9f5d3b8f98b4afb3dd035a3c4d73a1b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "16.0.6"
        }
    ]
}

Affected versions

13.*

13.0.0

13.0.0-RC1

13.0.0-RC10

13.0.0-RC2

13.0.0-RC3

13.0.0-RC4

13.0.0-RC5

13.0.0-RC6

13.0.0-RC7

13.0.0-RC8

13.0.0-RC9

14.*

14.0.0

14.0.1

14.0.2

14.0.3

14.0.4

14.0.5

14.0.6

14.1.1

14.1.10

14.1.11

14.1.12

14.1.13

14.1.16

14.1.17

14.1.2

14.1.3

14.1.4

14.1.5

14.1.6

14.1.7

14.1.8

14.1.9

14.2.1

14.2.2

14.3.1

14.4.1

14.4.2

14.5.1

14.5.2

14.5.3

14.5.4

14.6.2

14.6.3

14.6.4

14.6.5

14.6.6

14.7.0

14.7.1

14.7.2

14.7.3

14.7.4

14.8.1

14.8.2

14.8.3

14.8.4

15.*

15.0.0

15.0.1

15.0.2

15.0.3

15.0.4

15.1.0

15.1.1

15.1.2

15.1.3

15.1.4

15.1.5

15.1.6

15.2.0

15.2.1

15.2.2

16.*

16.0.3

16.0.4

16.0.5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33439.json"