CVE-2026-33439
Published: 07 April 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-33439 is a pre-authentication remote code execution (RCE) vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting OpenIdentityPlatform OpenAM prior to version 16.0.6. OpenAM is an access management solution vulnerable to unsafe Java deserialization of the jato.clientSession HTTP parameter (CWE-502). This issue bypasses the WhitelistObjectInputStream mitigation previously applied to the jato.pageSession parameter after CVE-2021-35464.
An unauthenticated attacker can exploit the vulnerability by sending a crafted serialized Java object as the jato.clientSession GET or POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags, such as the Password Reset pages. Successful exploitation enables arbitrary command execution on the server.
The vulnerability is fixed in OpenAM 16.0.6. Additional details on mitigation are available in the security advisory at https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Pre-authentication RCE in public-facing access management web application (OpenAM) via unsafe Java deserialization, directly enabling exploitation of public-facing application.