GHSA-vvhj-w2jq-263q

Source

https://github.com/advisories/GHSA-vvhj-w2jq-263q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-vvhj-w2jq-263q/GHSA-vvhj-w2jq-263q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vvhj-w2jq-263q

Aliases

CVE-2026-45048

Published

2026-06-23T17:33:00Z

Modified

2026-06-23T17:45:08.647465325Z

Severity

8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

OpenAM Authenticated Privilege Escalation via Raw Token Disclosure Session RPC

Details

Summary

Description

An insufficient authorization (CWE-285) and information exposure (CWE-200) issue in OpenAM's session management endpoint allows a low-privileged authenticated user to retrieve active session credentials belonging to other users, including those with higher privileges. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.

This may be related to CVE-2021-4201, a similar issue patched in ForgeRock Access Management, a separate product sharing a common codebase ancestry.

Impact

OpenAM Community Edition deployments through version 16.0.6 using stateful session storage and exposing the session management endpoint are potentially affected. The endpoint does not enforce ownership or privilege checks when querying session information, meaning an authenticated user may retrieve active session credentials for arbitrary users. Successful exploitation requires a valid low-privilege session and knowledge of a target user's identity identifier, which may be obtainable through normal platform functionality.

If credentials belonging to a highly privileged account are obtained, this could enable further administrative actions within the platform

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

Database specific

{
    "github_reviewed_at": "2026-06-23T17:33:00Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-200",
        "CWE-285"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

Maven / org.openidentityplatform.openam:openam-core

Package

Name: org.openidentityplatform.openam:openam-core; View open source insights on deps.dev
Purl: pkg:maven/org.openidentityplatform.openam/openam-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.1.1

Affected versions

14.*

14.5.2

14.5.3

14.5.4

14.6.1

14.6.2

14.6.3

14.6.4

14.6.5

14.6.6

14.7.0

14.7.1

14.7.2

14.7.3

14.7.4

14.8.1

14.8.2

14.8.3

14.8.4

15.*

15.0.0

15.0.1

15.0.2

15.0.3

15.0.4

15.1.0

15.1.1

15.1.2

15.1.3

15.1.4

15.1.5

15.1.6

15.2.0

15.2.1

15.2.2

16.*

16.0.1

16.0.2

16.0.3

16.0.4

16.0.5

16.0.6

16.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-vvhj-w2jq-263q/GHSA-vvhj-w2jq-263q.json"

last_known_affected_version_range

"<= 16.0.6"