AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-2cqq-rpvq-g5qj: OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM

criticalvulnerability

security

Source: GitHub Advisory DatabaseApril 7, 2026CVE-2026-33439

Summary

OpenIdentityPlatform OpenAM 16.0.5 has a critical vulnerability that allows unauthenticated attackers to run arbitrary commands on the server through unsafe deserialization (the process of converting stored data back into objects) of the `jato.clientSession` parameter. Although a previous fix blocked this attack on a similar parameter called `jato.pageSession`, the `jato.clientSession` parameter was overlooked and remains unprotected, enabling attackers to exploit it through password reset pages and similar endpoints.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

April 7, 2026

Classification

Attack SophisticationModerate

Affected Packages

org.openidentityplatform.openam:openam@<= 16.0.5 (fixed: 16.0.6)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-2cqq-rpvq-g5qj

First tracked: April 7, 2026 at 02:01 PM

Classified by LLM (prompt v3) · confidence: 95%