Critical severity9.8NVD Advisory· Published Apr 7, 2026· Updated Apr 15, 2026

CVE-2026-33439

Description

Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.openidentityplatform.openam:openamMaven	< 16.0.6	16.0.6

Affected products

Openidentityplatform/Openam
cpe:2.3:a:openidentityplatform:openam:*:*:*:*:*:*:*:*
Range: <16.0.6

Patches

014007c63cac

CVE-2026-33439 Pre-Authentication Remote Code Execution via jato.clientSession Deserialization in OpenAM

https://github.com/OpenIdentityPlatform/OpenAMMaxim ThomasMar 21, 2026via ghsa

commit

2 files changed · +38 −15

jato-shaded/pom.xml+7 −1 modified

@@ -13,7 +13,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2011-2016 ForgeRock AS.
- * Portions Copyrighted 2025 3A Systems LLC.
+ * Portions Copyrighted 2025-2026 3A Systems LLC.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
@@ -40,6 +40,11 @@
             <artifactId>jato</artifactId>
             <version>2005-05-04</version>
         </dependency>
+        <dependency>
+            <groupId>org.openidentityplatform.openam</groupId>
+            <artifactId>openam-shared</artifactId>
+            <scope>provided</scope>
+        </dependency>
     </dependencies>
     <build>
         <plugins>
@@ -55,6 +60,7 @@
                         </goals>
                         <configuration>
                             <outputDirectory>${project.build.directory}/classes</outputDirectory>
+                            <excludeScope>provided</excludeScope>
                         </configuration>
                     </execution>
                 </executions>

jato-shaded/src/main/java/com/iplanet/jato/util/Encoder.java+31 −14 modified

@@ -1,20 +1,38 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2023-2026 3A Systems LLC.
+ */
+
 package com.iplanet.jato.util;
 
-import java.io.ByteArrayInputStream;
+import com.sun.identity.shared.debug.Debug;
+import org.forgerock.openam.utils.IOUtils;
+
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.Serializable;
 import java.util.Base64;
+import java.util.stream.Collectors;
 import java.util.zip.DataFormatException;
 import java.util.zip.Deflater;
 import java.util.zip.DeflaterOutputStream;
 import java.util.zip.Inflater;
-import java.util.zip.InflaterInputStream;
 
 public class Encoder {
 
+    private final static Debug debug = Debug.getInstance("amConsole");
     private Encoder() {
     }
 
@@ -115,18 +133,17 @@ public static byte[] serialize(Serializable o, boolean compress) throws IOExcept
     }
 
     public static Object deserialize(byte[] b, boolean compressed) throws IOException, ClassNotFoundException {
-        ByteArrayInputStream bais = new ByteArrayInputStream(b);
-        InflaterInputStream iis = null;
-        ObjectInputStream ois = null;
-        if (compressed) {
-            iis = new InflaterInputStream(bais);
-            ois = new ApplicationObjectInputStream(iis);
-        } else {
-            ois = new ApplicationObjectInputStream(bais);
+        if(debug.messageEnabled()) {
+            String trace = StackWalker.getInstance()
+                .walk(frames -> frames
+                        .skip(1).limit(3)
+                        .map(f -> String.format("%s.%s(%s:%d)",
+                                f.getClassName(), f.getMethodName(),
+                                f.getFileName(), f.getLineNumber()))
+                        .collect(Collectors.joining("; ")));
+            debug.message("Encoder:deserialize callers trace: " + trace);
         }
-
-        Object result = ois.readObject();
-        return result;
+        return IOUtils.deserialise(b, compressed);
     }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qjnvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-2cqq-rpvq-g5qjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-33439ghsaADVISORY
github.com/OpenIdentityPlatform/OpenAM/commit/014007c63cacc834cc795a89fac0e611aebc4a32ghsaWEB
github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.0.6ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.005
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000