Cyber Resilience

CVE-2026-33439

CriticalPublic PoCRCE

Published: 07 April 2026

Published
07 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1049 95.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33439 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Openidentityplatform Openam. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

OpenIdentityPlatform OpenAM versions prior to 16.0.6 contain a pre-authentication remote code execution vulnerability stemming from unsafe Java deserialization of the jato.clientSession HTTP parameter. The flaw affects the JATO framework's ViewBean endpoints and bypasses the WhitelistObjectInputStream protection previously added to the related jato.pageSession parameter after CVE-2021-35464. It is tracked under CWE-502 and carries a CVSS 4.0 score of 9.3.

An unauthenticated attacker can exploit the issue by supplying a crafted serialized Java object in the jato.clientSession GET or POST parameter to any reachable JATO ViewBean endpoint whose JSP contains <jato:form> tags, such as the Password Reset pages. Successful exploitation grants arbitrary command execution on the server with no authentication or user interaction required.

The GitHub Security Advisory for the issue states that the vulnerability is fixed in OpenAM 16.0.6. The current EPSS score of 0.1337 with a recorded peak of 0.1714 indicates moderate and relatively stable exploitation interest since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to…

more

the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Pre-authentication RCE in public-facing access management web application (OpenAM) via unsafe Java deserialization, directly enabling exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2026-22505Shared CWE-502
CVE-2025-53078Shared CWE-502
CVE-2026-43633Shared CWE-502
CVE-2025-60039Shared CWE-502
CVE-2026-25429Shared CWE-502
CVE-2025-7697Shared CWE-502

Affected Assets

openidentityplatform
openam
≤ 16.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (OpenAM 16.0.6) that eliminates the unsafe deserialization path for jato.clientSession.

prevent

Mandates validation and sanitization of untrusted input; the CVE is caused by missing or bypassable validation of the serialized jato.clientSession object.

preventdetect

Requires mechanisms to detect and block malicious code; unsafe Java deserialization is a common vector for injecting and executing arbitrary commands.

References