GHSA-2vg8-q4c2-5cw3

Suggest an improvement
Source
https://github.com/advisories/GHSA-2vg8-q4c2-5cw3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2vg8-q4c2-5cw3/GHSA-2vg8-q4c2-5cw3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2vg8-q4c2-5cw3
Aliases
  • CVE-2026-41573
Published
2026-06-22T19:59:33Z
Modified
2026-06-22T20:15:14.159563277Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenAM has LDAP Injection via `_queryId` Parameter
Details

OpenAM (Open Identity Platform) is an open-source IAM platform providing SSO, OAuth2, SAML, and OpenID Connect capabilities. The CREST REST API layer exposes user query endpoints under /json/{realm}/users. In IdentityResourceV1.queryCollection(), the HTTP query parameter _queryId is passed to a CrestQuery object with escapeQueryId explicitly set to false, bypassing the escape protection introduced as part of the CVE-2021-29156 fix. The unescaped value flows directly to DJLDAPv3Repo.getFilter() where it is concatenated into an LDAP filter string without sanitization, enabling authenticated attackers to inject arbitrary LDAP metacharacters for user enumeration and blind LDAP injection.

Affected Endpoint

| Endpoint | Auth Required | Injection Parameter | |----------|--------------|---------------------| | GET /openam/json/{realm}/users?_queryId=<INJECTION> | SSO Token | _queryId | | GET /openam/json/{realm}/groups?_queryId=<INJECTION> | SSO Token (TBD) | _queryId |

Background: CVE-2021-29156

CVE-2021-29156 was a pre-authentication LDAP injection in OpenAM's Webfinger endpoint, where user-supplied input reached DJLDAPv3Repo.getFilter() unescaped. The fix introduced the escapeQueryId flag in CrestQuery (defaulting to true) and added Filter.escapeAssertionValue() in the filter-building path:

Credit

Discovered by JD-Security SHENYI Team

Database specific 
{
    "github_reviewed_at": "2026-06-22T19:59:33Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-74"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}
References

Affected packages

Maven / org.openidentityplatform.openam:openam-core-rest

Package

Name
org.openidentityplatform.openam:openam-core-rest
View open source insights on deps.dev
Purl
pkg:maven/org.openidentityplatform.openam/openam-core-rest

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
16.1.1

Affected versions

14.*
14.5.2
14.5.3
14.5.4
14.6.1
14.6.2
14.6.3
14.6.4
14.6.5
14.6.6
14.7.0
14.7.1
14.7.2
14.7.3
14.7.4
14.8.1
14.8.2
14.8.3
14.8.4
15.*
15.0.0
15.0.1
15.0.2
15.0.3
15.0.4
15.1.0
15.1.1
15.1.2
15.1.3
15.1.4
15.1.5
15.1.6
15.2.0
15.2.1
15.2.2
16.*
16.0.1
16.0.2
16.0.3
16.0.4
16.0.5
16.0.6
16.1.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2vg8-q4c2-5cw3/GHSA-2vg8-q4c2-5cw3.json"
last_known_affected_version_range 
"<= 16.0.6"