OpenAM 16.0.6 Released

Download

What’s new

• Addressed security vulnerabilities:
  • CVE-2026-2391 - qs library arrayLimit bypass in comma parsing allows denial of service
  • CVE-2026-32141 - flatted library vulnerable to unbounded recursion denial of service in parse()
  • CVE-2026-33228 - Prototype pollution via parse() in Node.js flatted library
  • CVE-2026-33439 - Pre-authentication remote code execution via jato.clientSession deserialization in OpenAM
• Fixed inability to set the SameSite cookie attribute in XUI
• Updated embedded OpenDJ dependency to version 5.0.4

Full changeset (more details)

Thanks for the contributions

1. Valery Kharseko
2. Maxim Thomas
3. IvanAndrukh
4. iamnoooob
5. hacktronai-research