PT-2026-52178 · Forgerock · Openkm Community Edition

Published

2026-06-24

·

Updated

2026-07-02

·

CVE-2026-45051

CVSS v4.0

9.2

Critical

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions OpenAM Community Edition versions prior to 16.1.1
Description A deserialization of untrusted data issue exists in the WebAuthn authentication module. This occurs when the application fails to properly validate data before deserializing it, which can lead to arbitrary code execution in the context of the application server. Exploitation is possible if an attacker can write controlled data to a storage attribute read by the WebAuthn module and the authentication flow is accessible. This scenario can occur if the userAttribute is set to a string attribute that is user-writable, which may happen through delegated administration, provisioning, or unsafe reconfiguration.
Recommendations Update to version 16.1.1.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45051
GHSA-6C99-87FR-6Q7R

Affected Products

Openkm Community Edition