CVE-2026-33439 PoC — Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-33439.yaml

Associated Vulnerability

Title:Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM (CVE-2026-33439)
Description:Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.

Description

Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464.  This vulnerability is fixed in 16.0.6.

File Snapshot


 id: CVE-2026-33439

info:
  name: OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserializa

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!