GHSA-F2CX-463Q-7M2C

Vulnerability from github – Published: 2026-06-29 17:44 – Updated: 2026-06-29 17:44
VLAI
Summary
OpenAM OAuth Client Impersonation via JWKS Resolver Cache
Details

Summary

Description

An Improper Authentication (CWE-287) issue in OpenAM's OAuth2 private_key_jwt client authentication path allows any registered OAuth2 client to mint tokens in the name of any other client whose key is published via a jwks_uri, without knowing the victim's signing key. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.

Impact

OpenAM Community Edition deployments through version 16.0.6 that have OAuth2 clients configured for private_key_jwt authentication with keys published via jwks_uri are potentially affected. An attacker holding any such client registration, their own, or one obtained through open dynamic client registration where enabled, can mint access tokens in any other such client's name, in any realm hosted by the OpenAM process.

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 16.0.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.openidentityplatform.openam:openam-oauth2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "16.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-29T17:44:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n**Description**\n\nAn Improper Authentication (CWE-287) issue in OpenAM\u0027s OAuth2 private_key_jwt client authentication path allows any registered OAuth2 client to mint tokens in the name of any other client whose key is published via a jwks_uri, without knowing the victim\u0027s signing key. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.\n\n## Impact\n\nOpenAM Community Edition deployments through version 16.0.6 that have OAuth2 clients configured for private_key_jwt authentication with keys published via jwks_uri are potentially affected. An attacker holding any such client registration, their own, or one obtained through open dynamic client registration where enabled, can mint access tokens in any other such client\u0027s name, in any realm hosted by the OpenAM process.\n\n## Patch\nThis has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.",
  "id": "GHSA-f2cx-463q-7m2c",
  "modified": "2026-06-29T17:44:37Z",
  "published": "2026-06-29T17:44:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-f2cx-463q-7m2c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenIdentityPlatform/OpenAM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenAM OAuth Client Impersonation via JWKS Resolver Cache"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…