GHSA-R9PV-5RPP-VM8G
Vulnerability from github – Published: 2026-06-23 17:33 – Updated: 2026-06-23 17:33Summary
Description
An Information Exposure Through Sent Data (CWE-201) issue in OpenAM's Cross-Domain Single Sign-On (CDSSO) servlet allows a logged-in user's raw OpenAM session token to be POSTed to an attacker-controlled URL. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.
An attacker who can induce a logged-in victim to visit a crafted URL may receive the victim's session credential, which could enable session hijacking.
Impact
OpenAM deployments through version 16.0.6 that have CDSSO enabled are potentially affected. The CDSSO component is commonly enabled in multi-domain deployments. Exploitation requires user interaction — an authenticated user must be induced to visit an attacker-crafted URL — and is further gated on a non-default configuration being absent.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 16.0.6"
},
"package": {
"ecosystem": "Maven",
"name": "org.openidentityplatform.openam:openam-federation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "16.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45049"
],
"database_specific": {
"cwe_ids": [
"CWE-201"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T17:33:14Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n**Description**\n\nAn Information Exposure Through Sent Data (CWE-201) issue in OpenAM\u0027s Cross-Domain Single Sign-On (CDSSO) servlet allows a logged-in user\u0027s raw OpenAM session token to be POSTed to an attacker-controlled URL. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.\n\nAn attacker who can induce a logged-in victim to visit a crafted URL may receive the victim\u0027s session credential, which could enable session hijacking.\n\n## Impact\nOpenAM deployments through version 16.0.6 that have CDSSO enabled are potentially affected. The CDSSO component is commonly enabled in multi-domain deployments. Exploitation requires user interaction \u2014 an authenticated user must be induced to visit an attacker-crafted URL \u2014 and is further gated on a non-default configuration being absent.\n\n## Patch\nThis has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.",
"id": "GHSA-r9pv-5rpp-vm8g",
"modified": "2026-06-23T17:33:14Z",
"published": "2026-06-23T17:33:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-r9pv-5rpp-vm8g"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenIdentityPlatform/OpenAM"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenAM Unauthenticated Session Hijacking via Information Exposure in CDCServlet"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.