GHSA-386j-6m86-78f9

Suggest an improvement
Source
https://github.com/advisories/GHSA-386j-6m86-78f9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-386j-6m86-78f9/GHSA-386j-6m86-78f9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-386j-6m86-78f9
Aliases
  • CVE-2026-46560
Published
2026-06-25T17:22:24Z
Modified
2026-06-25T17:30:09.498935970Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OpenAM: Unauthenticated Authentication Bypass via RADIUS Spoofing
Details

Summary

Description

An Improper Verification of Cryptographic Signature (CWE-347) issue in OpenAM's RADIUS authentication module allows an unauthenticated network attacker to spoof an Access-Accept response and obtain an OpenAM session for any RADIUS username, without knowing the configured shared secret. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.

The RADIUS client opens an unconnected datagram socket and treats the first UDP datagram delivered to its source port as authoritative. The receive path does not check the source IP/port, does not match the response identifier to the outstanding request, and does not verify the Response Authenticator (RFC 2865 ยง3); the RFC 2869 Message-Authenticator is neither sent nor required. Any non-Reject/non-Challenge packet is treated as success, so a forged Access-Accept is accepted as a valid login.

Impact

OpenAM Community Edition deployments through version 16.0.6 where an administrator has enabled a RADIUS module instance on a login chain are potentially affected. An attacker either races the real server on-path, or off-path sprays forged Access-Accept packets at the OpenAM client port. Because the client performs no verification of the response authenticator, no MD5 chosen-prefix forgery is required, which is is materially stronger than the BlastRADIUS family (CVE-2024-3596), in which an attacker must still forge a valid authenticator.

Successful exploitation yields pre-authentication impersonation of any RADIUS-mapped user in any affected realm. The resulting session is indistinguishable from a legitimate RADIUS login and carries the named principal's privileges.

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

Database specific 
{
    "github_reviewed_at": "2026-06-25T17:22:24Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-347"
    ],
    "nvd_published_at": null,
    "github_reviewed": true
}
References

Affected packages

Maven / org.openidentityplatform.openam:openam-radius

Package

Name
org.openidentityplatform.openam:openam-radius
View open source insights on deps.dev
Purl
pkg:maven/org.openidentityplatform.openam/openam-radius

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
16.1.1

Affected versions

14.*
14.5.2
14.5.3
14.5.4
14.6.1
14.6.2
14.6.3
14.6.4
14.6.5
14.6.6
14.7.0
14.7.1
14.7.2
14.7.3
14.7.4
14.8.1
14.8.2
14.8.3
14.8.4
15.*
15.0.0
15.0.1
15.0.2
15.0.3
15.0.4
15.1.0
15.1.1
15.1.2
15.1.3
15.1.4
15.1.5
15.1.6
15.2.0
15.2.1
15.2.2
16.*
16.0.1
16.0.2
16.0.3
16.0.4
16.0.5
16.0.6
16.1.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-386j-6m86-78f9/GHSA-386j-6m86-78f9.json"