GHSA-r9pv-5rpp-vm8g

Source

https://github.com/advisories/GHSA-r9pv-5rpp-vm8g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-r9pv-5rpp-vm8g/GHSA-r9pv-5rpp-vm8g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r9pv-5rpp-vm8g

Aliases

CVE-2026-45049

Published

2026-06-23T17:33:14Z

Modified

2026-06-23T17:45:08.639627610Z

Severity

8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

OpenAM Unauthenticated Session Hijacking via Information Exposure in CDCServlet

Details

Summary

Description

An Information Exposure Through Sent Data (CWE-201) issue in OpenAM's Cross-Domain Single Sign-On (CDSSO) servlet allows a logged-in user's raw OpenAM session token to be POSTed to an attacker-controlled URL. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.

An attacker who can induce a logged-in victim to visit a crafted URL may receive the victim's session credential, which could enable session hijacking.

Impact

OpenAM deployments through version 16.0.6 that have CDSSO enabled are potentially affected. The CDSSO component is commonly enabled in multi-domain deployments. Exploitation requires user interaction — an authenticated user must be induced to visit an attacker-crafted URL — and is further gated on a non-default configuration being absent.

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

Database specific

{
    "github_reviewed_at": "2026-06-23T17:33:14Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-201"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

Maven / org.openidentityplatform.openam:openam-federation

Package

Name: org.openidentityplatform.openam:openam-federation; View open source insights on deps.dev
Purl: pkg:maven/org.openidentityplatform.openam/openam-federation

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.1.1

Affected versions

14.*

14.5.2

14.5.3

14.5.4

14.6.1

14.6.2

14.6.3

14.6.4

14.6.5

14.6.6

14.7.0

14.7.1

14.7.2

14.7.3

14.7.4

14.8.1

14.8.2

14.8.3

14.8.4

15.*

15.0.0

15.0.1

15.0.2

15.0.3

15.0.4

15.1.0

15.1.1

15.1.2

15.1.3

15.1.4

15.1.5

15.1.6

15.2.0

15.2.1

15.2.2

16.*

16.0.1

16.0.2

16.0.3

16.0.4

16.0.5

16.0.6

16.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-r9pv-5rpp-vm8g/GHSA-r9pv-5rpp-vm8g.json"

last_known_affected_version_range

"<= 16.0.6"