CVE-2021-29156

HIGH NUCLEI

ForgeRock OpenAM < 13.5.1 - Unauthenticated LDAP Injection via Webfinger Protocol

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-29156. PoCs published by Charlton Trezevant, guidepointsecurity, 5amu. A Nuclei detection template is also available.

AI-analyzed exploit summary This Go-based exploit demonstrates LDAP injection in OpenAM 13.0 via brute-forcing character-by-character to extract password hashes. It uses HTTP requests with crafted payloads to test for valid characters in the hash.

Description

ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.

Exploits (3)

exploitdb WORKING POC
by Charlton Trezevant · gowebappsjava
https://www.exploit-db.com/exploits/50480

This Go-based exploit demonstrates LDAP injection in OpenAM 13.0 via brute-forcing character-by-character to extract password hashes. It uses HTTP requests with crafted payloads to test for valid characters in the hash.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: OpenAM v13.0.0
No auth needed
Prerequisites: Network access to the OpenAM server · Knowledge of a valid username
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by guidepointsecurity · poc
https://github.com/guidepointsecurity/CVE-2021-29156

This repository contains a functional Go-based proof-of-concept exploit for CVE-2021-29156, an LDAP injection vulnerability in ForgeRock OpenAM v13.0.0. The exploit performs a character-by-character brute force attack to extract user password hashes via crafted LDAP queries.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ForgeRock OpenAM v13.0.0
No auth needed
Prerequisites: Network access to the vulnerable OpenAM instance · Knowledge of a valid username (default: amAdmin)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 5amu · poc
https://github.com/5amu/CVE-2021-29156

This repository contains a functional Go-based exploit for CVE-2021-29156, an LDAP injection vulnerability in OpenAM. The tool performs a brute-force attack to recover user passwords by leveraging a timing-based side-channel in the WebFinger endpoint.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: OpenAM (versions prior to 13.0.0)
No auth needed
Prerequisites: Network access to the OpenAM WebFinger endpoint · Knowledge of a valid username
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

LDAP Injection In OpenAM
HIGHby melbadry9,xelkomy
Shodan: http.title:"OpenAM" || http.title:"openam"
FOFA: title="openam"

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://portswigger.net/research/hidden-oauth-attack-vectors
Exploit, Patch, Vendor Advisory x_refsource_misc
https://bugster.forgerock.org/jira/browse/OPENAM-10135

Scores

CVSS v3 7.5
EPSS 0.8871
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-74
Status published
Products (1)
forgerock/openam < 13.5.1
Published Mar 25, 2021
Tracked Since Feb 18, 2026