Remote Code Execution in OpenIdentityPlatform OpenAM Access Management Solution
CVE-2026-33439

9.3CRITICAL

Key Information:

Vendor: Openidentityplatform
Status: Openam
Vendor: CVE Published:; 7 April 2026

🔔 Create Openidentityplatform Vulnerability Alert

What is CVE-2026-33439?

OpenIdentityPlatform's OpenAM, an access management solution, is susceptible to a pre-authentication Remote Code Execution vulnerability due to unsafe Java deserialization. This issue arises from the handling of the jato.clientSession HTTP parameter, allowing unauthenticated attackers to execute arbitrary commands on the server. This is facilitated by sending a specially crafted serialized Java object to any JATO ViewBean endpoint containing jato:form tags, such as the Password Reset pages. The problem has been addressed in version 16.0.6, enhancing the security of the product.

Affected Version(s)

OpenAM < 16.0.6

References

https://github.com/OpenIdentityPlatform/OpenAM/security/a...

x_refsource_CONFIRM

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33439 Data

JSON