PT-2026-53761 · Maven · Org.Openidentityplatform.Openam:Openam-Oauth2
Publicado
2026-06-29
·
Atualizado
2026-06-29
·
CVE-2026-47426
CVSS v4.0
7.1
Alta
| Vetor | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Summary
Description
An Improper Authentication (CWE-287) issue in OpenAM's OAuth2 private key jwt client authentication path allows any registered OAuth2 client to mint tokens in the name of any other client whose key is published via a jwks uri, without knowing the victim's signing key. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.
Impact
OpenAM Community Edition deployments through version 16.0.6 that have OAuth2 clients configured for private key jwt authentication with keys published via jwks uri are potentially affected. An attacker holding any such client registration, their own, or one obtained through open dynamic client registration where enabled, can mint access tokens in any other such client's name, in any realm hosted by the OpenAM process.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
Correção
Improper Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Org.Openidentityplatform.Openam:Openam-Oauth2