PT-2026-53761 · Maven · Org.Openidentityplatform.Openam:Openam-Oauth2

Publicado

2026-06-29

·

Atualizado

2026-06-29

·

CVE-2026-47426

CVSS v4.0

7.1

Alta

VetorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

Description
An Improper Authentication (CWE-287) issue in OpenAM's OAuth2 private key jwt client authentication path allows any registered OAuth2 client to mint tokens in the name of any other client whose key is published via a jwks uri, without knowing the victim's signing key. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.

Impact

OpenAM Community Edition deployments through version 16.0.6 that have OAuth2 clients configured for private key jwt authentication with keys published via jwks uri are potentially affected. An attacker holding any such client registration, their own, or one obtained through open dynamic client registration where enabled, can mint access tokens in any other such client's name, in any realm hosted by the OpenAM process.

Patch

This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.

Correção

Improper Authentication

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-47426
GHSA-F2CX-463Q-7M2C

Produtos afetados

Org.Openidentityplatform.Openam:Openam-Oauth2