PT-2026-52178 · Forgerock · Openkm Community Edition
Published
2026-06-24
·
Updated
2026-07-02
·
CVE-2026-45051
CVSS v4.0
9.2
Critical
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OpenAM Community Edition versions prior to 16.1.1
Description
A deserialization of untrusted data issue exists in the WebAuthn authentication module. This occurs when the application fails to properly validate data before deserializing it, which can lead to arbitrary code execution in the context of the application server. Exploitation is possible if an attacker can write controlled data to a storage attribute read by the WebAuthn module and the authentication flow is accessible. This scenario can occur if the
userAttribute is set to a string attribute that is user-writable, which may happen through delegated administration, provisioning, or unsafe reconfiguration.Recommendations
Update to version 16.1.1.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openkm Community Edition