- CVE: CVE-2026-45051
- CVSS: 9.2 (Critical · CVSSv4)
- Product: org.openidentityplatform.openam:openam-auth-webauthn (maven)
- Affected: <= 16.0.6
- Impact: OpenAM: Pre-auth RCE via Java Deserialization in WebAuthn Authenticator Storage
- Status: No confirmed exploitation yet
- Patched in: 16.1.1
- Action: Update to 16.1.1 now
TL;DR
A critical flaw in OpenAM can let an attacker run code on the server. Tracked as CVE-2026-45051, it scores 9.2 on the CVSS scale. The OpenAM WebAuthn RCE stems from unsafe Java deserialization.
Why it matters
OpenAM handles authentication, single sign-on, and federation for many applications. A server compromise can therefore expose every connected service. The injected code runs as the application server user. As a result, one weak setting can undermine an entire identity layer.
How the OpenAM WebAuthn RCE works
The flaw sits in OpenAM’s WebAuthn authentication module. The module reads a storage attribute and deserializes its contents. If that attribute holds attacker-controlled data, deserialization can trigger code execution. Importantly, this is conditional, not a default-configuration bug. An attacker must first be able to write to that attribute. The WebAuthn flow must also be reachable. Such write access could come from delegated administration, provisioning, or access to the backing directory record.
Affected versions
The bug affects OpenAM Community Edition through version 16.0.6. The Open Identity Platform team fixed it in version 16.1.1.
Exploitation status
No public proof-of-concept exists yet. Researchers report no in-the-wild abuse so far. A researcher credited as “wodzen” disclosed the issue through GitHub.
Patch and mitigation
Update now to OpenAM 16.1.1. You can download the 16.1.1 release from GitHub. Until you patch, keep the WebAuthn storage attribute server-managed. Never map it to a user-writable field.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.