PT-2026-51435 · Maven · Org.Openidentityplatform.Openam:Openam-Core-Rest

Publicado

2026-06-22

·

Atualizado

2026-06-22

·

CVE-2026-41573

CVSS v4.0

8.7

Alta

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
OpenAM (Open Identity Platform) is an open-source IAM platform providing SSO, OAuth2, SAML, and OpenID Connect capabilities. The CREST REST API layer exposes user query endpoints under /json/{realm}/users. In IdentityResourceV1.queryCollection(), the HTTP query parameter queryId is passed to a CrestQuery object with escapeQueryId explicitly set to false, bypassing the escape protection introduced as part of the CVE-2021-29156 fix. The unescaped value flows directly to DJLDAPv3Repo.getFilter() where it is concatenated into an LDAP filter string without sanitization, enabling authenticated attackers to inject arbitrary LDAP metacharacters for user enumeration and blind LDAP injection.

Affected Endpoint

EndpointAuth RequiredInjection Parameter
GET /openam/json/{realm}/users? queryId=<INJECTION>SSO Token queryId
GET /openam/json/{realm}/groups? queryId=<INJECTION>SSO Token (TBD) queryId

Background: CVE-2021-29156

CVE-2021-29156 was a pre-authentication LDAP injection in OpenAM's Webfinger endpoint, where user-supplied input reached DJLDAPv3Repo.getFilter() unescaped. The fix introduced the escapeQueryId flag in CrestQuery (defaulting to true) and added Filter.escapeAssertionValue() in the filter-building path:

Credit

Discovered by JD-Security SHENYI Team

Correção

Special Elements Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-41573
GHSA-2VG8-Q4C2-5CW3

Produtos afetados

Org.Openidentityplatform.Openam:Openam-Core-Rest