OpenAM 16.1.1 Released

Download

What’s new

Security vulnerabilities - OpenAM

• Addressed critical OpenAM security vulnerabilities:
  • CVE-2026-41573 - LDAP Injection via _queryId Parameter
  • CVE-2026-44202 - Authenticated Server-Side Request Forgery (SSRF) via /sessionservice
  • CVE-2026-44203 - Pre-authentication Reflected XSS in OAuth2/OIDC
  • CVE-2026-44793 - Pre-authentication Reflected XSS in SAML2 Cluster Cookie-Hash-Redirect Path
  • CVE-2026-45049 - Session Hijacking via CDSSO
  • CVE-2026-45048 - Arbitrary Session Hijacking via Session Service RPC
  • CVE-2026-45051 - Conditional RCE via Java Deserialization in WebAuthn
  • CVE-2026-45052 - Anonymous Authentication via Liberty SOAP
  • CVE-2026-45794 - Unsafe Java Deserialization via Push Notification
  • CVE-2026-46498 - Arbitrary OAuth Token Minting via Push Registration
  • CVE-2026-46560 - Authentication Bypass via RADIUS Spoofing
  • CVE-2026-46619 - Authentication Bypass via MSISDN LDAP Injection
  • CVE-2026-46623 - Account Takeover via OAuth2 Unverified Password Change
  • CVE-2026-47424 - Authenticated RCE via Groovy Sandbox Escape
  • CVE-2026-47426 - OAuth Client Impersonation via JWKS Resolver Cache
  • CVE-2026-48717 - OAuth Authorization Bypass via PKCE Challenge
  • CVE-2026-53660 - Insecure SSO Cookie Initialization

Security vulnerabilities - dependencies

• Addressed third-party dependency vulnerabilities:
  • CVE-2026-33870 - Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
  • CVE-2025-67030 - Plexus-Utils Directory Traversal vulnerability
  • CVE-2026-4800, CVE-2026-2950 - lodash Code Injection and Prototype Pollution
  • CVE-2026-27315, CVE-2026-32588 - Apache Cassandra Information Leak and DoS
  • CVE-2025-64718 - js-yaml prototype pollution in merge
  • CVE-2026-21884, CVE-2026-22029, CVE-2026-22030 - React Router SSR XSS and CSRF vulnerabilities
  • CVE-2026-27606 - Rollup Arbitrary File Write via Path Traversal
  • CVE-2026-33228, CVE-2026-32141 - flatted Prototype Pollution and DoS
  • CVE-2026-39364, CVE-2026-39365, CVE-2026-39363, CVE-2025-62522 - Vite multiple vulnerabilities
  • CVE-2025-13465 - Lodash/odash Prototype Pollution
  • CVE-2026-29063 - Immutable Prototype Pollution
  • CVE-2026-33671, CVE-2026-33672 - Picomatch ReDoS and Method Injection
  • CVE-2026-26996, CVE-2026-27903, CVE-2026-27904 - minimatch ReDoS
  • CVE-2025-12383 - SSL/TLS race condition causing certificate bypass
  • CVE-2025-8916 - PKIXCertPathReviewer DoS
  • CVE-2025-7962 - Jakarta Mail SMTP Injection
  • CVE-2026-41305 - PostCSS XSS
  • CVE-2026-42577 - Netty epoll DoS
  • CVE-2026-44728 - @babel/plugin-transform-modules-systemjs arbitrary code
  • CVE-2026-6321, CVE-2026-6322 - fast-uri percent-encoded dot segments
  • CVE-2026-43869 - Apache Thrift Certificate Validation
  • CVE-2026-8723 - qs remotely triggerable DoS
  • CVE-2026-44705 - tmp Path Traversal
  • CVE-2026-47429 - Vitest UI arbitrary file read
  • CVE-2026-53550 - JS-YAML DoS in merge key handling
  • CVE-2026-53663 - React Router CSRF
  • CVE-2026-48988, CVE-2026-2327 - markdown-it ReDoS
  • CVE-2026-49356 - @babel/core Arbitrary File Read
  • CVE-2025-66453 - Rhino: replaced servicemix bundle with org.mozilla:rhino:1.7.15.1

Features

• Support HttpOnly session cookie in XUI
• Include acr and amr claims in stateless JWT access tokens
• Add OAuth2 Access Token Modification Script (OAUTH2_ACCESS_TOKEN_MODIFICATION)
• Create base entry on external configuration store during setup
• OpenAM MCP server
• OpenAM UI JS SDK
• Fixed SLO sending stale transient NameID when SP re-authenticates within same IdP session
• Updated embedded OpenDJ dependency to version 5.1.1
• Bumped Apache CXF to 4.0.11
• Upgraded PowerMock 1.7.4 → 2.0.9

Full changeset (more details)

Thanks for the contributions

1. Valery Kharseko
2. Maxim Thomas
3. Vishal Panchani
4. wodzen
5. nn0nkey