CVE-2026-33439

Name of the Vulnerable Software and Affected Versions OpenAM versions prior to 16.0.6

Description Open Access Management (OpenAM) is an access management solution. An unauthenticated attacker can achieve arbitrary command execution on the server through unsafe Java deserialization. This occurs when a crafted serialized Java object is sent as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags, such as Password Reset pages. This issue bypasses the WhitelistObjectInputStream mitigation previously applied to the jato.pageSession parameter.

Recommendations Update to version 16.0.6.