CVE-2026-33439
Description
Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.openidentityplatform.openam:openamMaven | < 16.0.6 | 16.0.6 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qjnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-2cqq-rpvq-g5qjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33439ghsaADVISORY
- github.com/OpenIdentityPlatform/OpenAM/commit/014007c63cacc834cc795a89fac0e611aebc4a32ghsaWEB
- github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.0.6ghsaWEB
News mentions
1- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026