CVE-2026-33439

CRITICAL NUCLEI LAB

Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM

Title source: cna

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-33439. PoCs published by adminlove520, TheMalwareGuardian, Ibonok. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-33439, a pre-authentication RCE vulnerability in ForgeRock/OpenIdentityPlatform OpenAM. The exploit leverages deserialization of the `jato.clientSession` parameter via an Encoder.deserialize() call without class whitelist filtering, using a Click1 + External Xalan TemplatesImpl gadget chain to achieve command execution with output echoed directly in the HTTP response.

Description

Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.

Exploits (4)

github WORKING POC 4 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-33439

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-33439, a pre-authentication RCE vulnerability in ForgeRock/OpenIdentityPlatform OpenAM. The exploit leverages deserialization of the `jato.clientSession` parameter via an Encoder.deserialize() call without class whitelist filtering, using a Click1 + External Xalan TemplatesImpl gadget chain to achieve command execution with output echoed directly in the HTTP response.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ForgeRock/OpenIdentityPlatform OpenAM

No auth needed

Prerequisites: JDK 11+ for compilation · Access to unauthenticated Password Reset pages

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 16, 2026 Full analysis →

github WORKING POC

by TheMalwareGuardian · pythonpoc

https://github.com/TheMalwareGuardian/CVE-2026-33439

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-33439, targeting OpenAM's pre-authentication RCE via deserialization of the jato.clientSession parameter. The exploit leverages a gadget chain involving PriorityQueue, Column$ColumnComparator, and TemplatesImpl to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: OpenAM 16.0.5

No auth needed

Prerequisites: Docker environment with OpenAM 16.0.5 · Java 21 · Specific JAR files from OpenAM's WEB-INF/lib

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 01, 2026 Full analysis →

github WORKING POC

by Ibonok · javapoc

https://github.com/Ibonok/CVE-2026-33439-PoC

View Code ZIP pw:eip

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ForgeRock/OpenIdentityPlatform OpenAM

No auth needed

Prerequisites: JDK 11+ · Access to unauthenticated Password Reset pages

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 28, 2026 Full analysis →

github WRITEUP

by shreyas-malhotra · poc

https://github.com/shreyas-malhotra/CVE-2026-33439-OpenAM

View Code ZIP pw:eip

This repository provides a technical writeup identifying a pre-auth unsafe deserialization vulnerability in OpenAM's JATO ViewBean endpoints, specifically highlighting the reachable endpoint /openam/ui/PWResetUserValidation. It offers research insights but lacks functional exploit code.

Classification

Writeup 80%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: OpenAM <16.0.6

No auth needed

Prerequisites: access to the vulnerable OpenAM endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Apr 28, 2026 Full analysis →

Nuclei Templates (1)

OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserialization

CRITICALVERIFIEDby DhiyaneshDk

Shodan: http.title:"OpenAM"

FOFA: title="OpenAM"

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj

Scores

CVSS v3 9.8

EPSS 0.1049

EPSS Percentile 95.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull tomcat:10.1.52-jdk21

https://github.com/shreyas-malhotra/CVE-2026-33439-OpenAM

https://github.com/Ibonok/CVE-2026-33439-PoC

https://github.com/TheMalwareGuardian/CVE-2026-33439

+1 more repos

View in Library

Details

CWE

CWE-502

Status published

Products (3)

openidentityplatform/openam < 16.0.6

OpenIdentityPlatform/OpenAM < 16.0.6

org.openidentityplatform.openam/openam 0 - 16.0.6Maven

Published Apr 07, 2026

Tracked Since Apr 08, 2026