CVE-2026-33439
Published: 07 April 2026
Summary
CVE-2026-33439 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Openidentityplatform Openam. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
OpenIdentityPlatform OpenAM versions prior to 16.0.6 contain a pre-authentication remote code execution vulnerability stemming from unsafe Java deserialization of the jato.clientSession HTTP parameter. The flaw affects the JATO framework's ViewBean endpoints and bypasses the WhitelistObjectInputStream protection previously added to the related jato.pageSession parameter after CVE-2021-35464. It is tracked under CWE-502 and carries a CVSS 4.0 score of 9.3.
An unauthenticated attacker can exploit the issue by supplying a crafted serialized Java object in the jato.clientSession GET or POST parameter to any reachable JATO ViewBean endpoint whose JSP contains <jato:form> tags, such as the Password Reset pages. Successful exploitation grants arbitrary command execution on the server with no authentication or user interaction required.
The GitHub Security Advisory for the issue states that the vulnerability is fixed in OpenAM 16.0.6. The current EPSS score of 0.1337 with a recorded peak of 0.1714 indicates moderate and relatively stable exploitation interest since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19941
Vulnerability details
Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to…
more
the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Pre-authentication RCE in public-facing access management web application (OpenAM) via unsafe Java deserialization, directly enabling exploitation of public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch (OpenAM 16.0.6) that eliminates the unsafe deserialization path for jato.clientSession.
Mandates validation and sanitization of untrusted input; the CVE is caused by missing or bypassable validation of the serialized jato.clientSession object.
Requires mechanisms to detect and block malicious code; unsafe Java deserialization is a common vector for injecting and executing arbitrary commands.