{"id":"CVE-2026-33439","summary":"Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM","details":"Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains \u003cjato:form\u003e tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.","aliases":["GHSA-2cqq-rpvq-g5qj"],"modified":"2026-04-09T11:46:21.097846Z","published":"2026-04-07T20:46:33.739Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-502"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33439.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33439.json"},{"type":"ADVISORY","url":"https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33439"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openidentityplatform/openam","events":[{"introduced":"0"},{"fixed":"4529f108e9f5d3b8f98b4afb3dd035a3c4d73a1b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"16.0.6"}]}}],"versions":["13.0.0","13.0.0-RC1","13.0.0-RC10","13.0.0-RC2","13.0.0-RC3","13.0.0-RC4","13.0.0-RC5","13.0.0-RC6","13.0.0-RC7","13.0.0-RC8","13.0.0-RC9","14.0.0","14.0.1","14.0.2","14.0.3","14.0.4","14.0.5","14.0.6","14.1.1","14.1.10","14.1.11","14.1.12","14.1.13","14.1.16","14.1.17","14.1.2","14.1.3","14.1.4","14.1.5","14.1.6","14.1.7","14.1.8","14.1.9","14.2.1","14.2.2","14.3.1","14.4.1","14.4.2","14.5.1","14.5.2","14.5.3","14.5.4","14.6.2","14.6.3","14.6.4","14.6.5","14.6.6","14.7.0","14.7.1","14.7.2","14.7.3","14.7.4","14.8.1","14.8.2","14.8.3","14.8.4","15.0.0","15.0.1","15.0.2","15.0.3","15.0.4","15.1.0","15.1.1","15.1.2","15.1.3","15.1.4","15.1.5","15.1.6","15.2.0","15.2.1","15.2.2","16.0.3","16.0.4","16.0.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33439.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}