GHSA-4v2w-2wqp-mc85

Suggest an improvement
Source
https://github.com/advisories/GHSA-4v2w-2wqp-mc85
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-4v2w-2wqp-mc85/GHSA-4v2w-2wqp-mc85.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4v2w-2wqp-mc85
Aliases
  • CVE-2026-48717
Published
2026-06-29T17:46:06Z
Modified
2026-06-29T18:00:07.862263457Z
Severity
  • 4.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
OpenAM OAuth Authorization Bypass via PKCE Challenge
Details

Summary

Description

An Improper Authorization (CWE-285) issue in OpenAM's OAuth2 authorization-code grant allows a PKCE-protected authorization code to be redeemed without the required code_verifier. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.

The authorize endpoint stores a codechallenge on the issued code, but the token endpoint only requires a codeverifier when the realm-wide codeVerifierEnforced setting is enabled, which ships disabled by default. With that setting off, the stored challenge is checked only if the caller supplies a verifier, so omitting the parameter skips PKCE verification entirely.

Impact

OpenAM Community Edition deployments through version 16.0.6 using the default OAuth2 provider configuration are potentially affected. For public clients, an attacker who intercepts an authorization code can exchange it for tokens without knowing the verifier. For confidential clients, the attacker additionally needs client authentication material or an execution context that can redeem the code. A token request supplying an incorrect verifier is still rejected. The bypass is specifically the missing-parameter path.

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

Database specific
{
    "github_reviewed_at": "2026-06-29T17:46:06Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "MODERATE"
}
References

Affected packages

Maven / org.openidentityplatform.openam:openam-oauth2

Package

Name
org.openidentityplatform.openam:openam-oauth2
View open source insights on deps.dev
Purl
pkg:maven/org.openidentityplatform.openam/openam-oauth2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
16.1.1

Affected versions

14.*
14.5.2
14.5.3
14.5.4
14.6.1
14.6.2
14.6.3
14.6.4
14.6.5
14.6.6
14.7.0
14.7.1
14.7.2
14.7.3
14.7.4
14.8.1
14.8.2
14.8.3
14.8.4
15.*
15.0.0
15.0.1
15.0.2
15.0.3
15.0.4
15.1.0
15.1.1
15.1.2
15.1.3
15.1.4
15.1.5
15.1.6
15.2.0
15.2.1
15.2.2
16.*
16.0.1
16.0.2
16.0.3
16.0.4
16.0.5
16.0.6
16.1.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-4v2w-2wqp-mc85/GHSA-4v2w-2wqp-mc85.json"
last_known_affected_version_range
"<= 16.0.6"