Listen to this Post
How CVE-2026-46498 Works
CVE-2026-46498 is an Improper Authentication (CWE-287) vulnerability in OpenAM’s OAuth2 `private_key_jwt` client authentication flow.
The flaw stems from how OpenAM validates client assertions when using the `private_key_jwt` method. In this flow, a client presents a signed JWT assertion to the token endpoint to prove its identity. The JWT contains a `jwks_uri` pointing to the client’s public key set. OpenAM fetches the keys from this URI and uses them to verify the JWT’s signature.
However, OpenAM does not validate that the `jwks_uri` belongs to the client that is actually authenticating. An attacker who controls any registered OAuth2 client – or who can dynamically register a client (if that feature is enabled) – can specify another client’s `jwks_uri` in their own JWT assertion.
Because OpenAM blindly trusts the supplied `jwks_uri` and does not bind the retrieved keys to the authenticating client’s identity, the attacker’s JWT will be validated using the victim client’s public key. The attacker does not need to know the victim’s private signing key – they simply reuse the victim’s published JWKS.
This allows the attacker to mint OAuth2 access tokens and OIDC ID tokens in the name of any other client whose keys are exposed via a jwks_uri. The forged tokens can have arbitrary subject, client, realm, and scope, effectively granting the attacker the victim client’s privileges across any realm hosted by the OpenAM instance.
The vulnerability affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.
DailyCVE Form:
Platform: OpenAM Community Edition
Version: ≤ 16.0.6
Vulnerability: Improper Authentication (CWE-287)
Severity: Critical
date: 2026-06-25
Prediction: Patch expected 2026-06-25 (already released in 16.1.1)
What Undercode Say: Analytics
Affected Components
– `openam-oauth2` module
– OAuth2 client registration with `private_key_jwt` authentication
– Realms exposing OAuth2 endpoints
Attack Vector
- Remote, unauthenticated (requires only a valid client registration)
- Exploitation complexity: Low
CVSS Score
- Base Score: ~9.8 (Critical) – AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Bash Commands to Check Exposure
List OAuth2 clients with private_key_jwt authentication curl -k -u "amadmin:password" "https://openam.example.com/openam/oauth2/clients" Check if dynamic client registration is enabled curl -k "https://openam.example.com/openam/oauth2/registration/.well-known/openid-configuration" | jq '.registration_endpoint' Retrieve a client's jwks_uri from its registration curl -k -u "amadmin:password" "https://openam.example.com/openam/oauth2/clients/CLIENT_ID" | jq '.jwks_uri'
Code Snippet – Vulnerable Validation Logic (Conceptual)
// OpenAM’s flawed validation – no ownership check JWKSet clientJwks = fetchJWKSet(client.getJwksUri()); JWTClaimsSet claims = validateJWT(jwtAssertion, clientJwks); // Attacker can supply victim's jwks_uri here
How Exploit:
- Register or obtain an OAuth2 client with `private_key_jwt` as the token endpoint authentication method.
- Generate a signed JWT assertion using your own private key, but set the `jwks_uri` header or claim to point to the victim client’s public JWKS endpoint.
- Send the forged JWT to the `/oauth2/access_token` endpoint as the `client_assertion` parameter.
- OpenAM fetches the victim’s JWKS, validates the JWT signature (which passes because the victim’s public key matches the JWT’s signature), and issues an access token scoped to the victim client.
- The attacker can now use this token to access resources as the victim client, across any realm.
PoC Request Example
curl -X POST "https://openam.example.com/openam/oauth2/access_token" \ -d "grant_type=client_credentials" \ -d "client_id=attacker_client" \ -d "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \ -d "client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6ImF0dGFja2VyLWtleSIsImp3a3NfdXJpIjoiaHR0cHM6Ly92aWN0aW0uZXhhbXBsZS5jb20vandrcyJ9..." \ -d "scope=openid profile"
Protection from CVE-2026-46498
- Upgrade to OpenAM Community Edition 16.1.1 immediately.
- If upgrading is not possible, disable dynamic client registration to prevent attackers from easily obtaining a client.
- Review all OAuth2 client configurations and ensure that `jwks_uri` values are trusted and cannot be tampered with.
- Monitor token issuance logs for anomalies – look for tokens minted with unexpected `client_id` or `subject` claims.
- Implement network restrictions to limit access to the OAuth2 token endpoint from untrusted sources.
- Consider using `client_secret_jwt` or other authentication methods as a temporary workaround, but note that they may have their own risks.
Impact
- Token Forgery: An attacker can forge OAuth2 bearer tokens and OIDC ID tokens for any client whose keys are exposed via
jwks_uri. - Privilege Escalation: The attacker can impersonate high-privilege clients, potentially gaining administrative access to protected resources.
- Cross‑Realm Compromise: Because tokens can be minted for any realm hosted by the OpenAM process, a single compromised client can affect all realms.
- Data Breach: Unauthorized access to sensitive data and APIs protected by the victim client.
- Widespread Exposure: Any OpenAM deployment through version 16.0.6 that uses `private_key_jwt` with `jwks_uri` is vulnerable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
