VulniosVulnios
All Threat Alerts
criticalCVE Alert
CVE-2026-33439

Critical Vulnerability: CVE-2026-33439 — openidentityplatform — openam

Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java obj

Thursday, April 16, 2026openidentityplatformVulnios Threat Intelligence
Share:

Executive Summary

Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.

Why It Matters

CVE-2026-33439 is rated CRITICAL severity, requiring immediate attention from security teams.

CVSS Base Score: 9.8/10

EPSS (Exploit Prediction): 0.1% probability of exploitation in the next 30 days.

Affected Technologies

Vendors: openidentityplatform

Products: openam

🛡️What Defenders Should Check

  • Check if you are affected — Review your asset inventory for products listed in CVE-2026-33439.
  • Apply available patches — Visit vendor advisories for the latest security updates.
  • Monitor for exploitation — Check your SIEM/IDS logs for related indicators.

    • Use Vulnios to continuously monitor your exposure to CVE-2026-33439 and similar vulnerabilities.

    References & Sources

  • https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj

    • AI Security Advisor

    Powered by Gemini

    Get AI-powered security recommendations tailored to this specific threat — including risk assessment, detection guidance, MITRE ATT&CK mapping, and actionable remediation steps.

    Affected Products

    openam

    Sources

    criticalrce

    Protect Your Organization

    Monitor CVEs, scan for vulnerabilities, and get real-time threat alerts — all in one platform.

    Get Started FreeFree Security ScanOSINT Dashboard

    Get instant alerts on Telegram

    Join our public channel for real-time critical CVE alerts.

    Follow @vulnios