CVE-2026-45051 - OpenAM WebAuthn deserialization RCE

OpenAM Community Edition through 16.0.6 contains a Java deserialization flaw in the WebAuthn authentication module. If an attacker can get attacker- controlled serialized data written into the attribute that the WebAuthn module reads for authenticator storage, and the WebAuthn flow is reachable, the application server can deserialize that data and execute code in the server context.

This is not the default configuration, but it is realistic in deployments that made the WebAuthn userAttribute writable through delegated administration, self-service registration, provisioning, or direct directory writes.

When to use it

Use this recipe when an OpenAM deployment enables WebAuthn or custom identity attribute storage for authenticators. It is designed for source-code and configuration remediation, deserialization risk review, delegated-admin boundary audit, and evidence that WebAuthn storage is server-managed and not attacker-writable.

Inputs

  • OpenAM version, WebAuthn module configuration, userAttribute mapping, delegated administration policy, identity schema, and deployment exposure.
  • Source/config paths that read authenticator storage, deserialize Java data, write user attributes, or expose admin/self-service update flows.
  • Regression fixtures for attacker-writable attributes, server-managed attributes, disabled WebAuthn, valid authenticator data, and denied writes.
  • Boundary evidence: affected realms, writable attributes, admin roles, authentication logs, and remediation/rollback owner.

Affected versions

Package Vulnerable versions Fixed versions
org.openidentityplatform.openam:openam-auth-webauthn <=16.0.6 16.1.1

Indicator-of-exposure

  • The repository deploys OpenAM <=16.0.6.
  • WebAuthn authentication is enabled or reachable in any realm.
  • The configured WebAuthn storage attribute is writable by end users, delegated admins, provisioning jobs, registration flows, or direct LDAP mutation outside a strictly server-managed path.
  • The environment stores serialized WebAuthn credential objects inside LDAP or a similar attribute-backed identity store.

Quick checks:

rg -n "WebAuthn|userAttribute|openam-auth-webauthn|webauthn|serialized|LDAP" .
find . -iname "pom.xml" -o -iname "build.gradle*" | xargs rg -n "openam-auth-webauthn|16\.0\.6|16\.1\.1"

Windows:

rg -n "WebAuthn|userAttribute|openam-auth-webauthn|webauthn|serialized|LDAP" .
rg -n "openam-auth-webauthn|16\.0\.6|16\.1\.1" pom.xml build.gradle* . 2>$null

Remediation strategy

  • Upgrade OpenAM to 16.1.1+.
  • Treat the WebAuthn storage attribute as server-managed only; do not allow user, delegated-admin, self-registration, or provisioning writes to it.
  • Audit userAttribute and related realm/module settings to ensure they point to a non-user-writable attribute.
  • Add regression checks that fail if WebAuthn is reconfigured to read from a writable profile field.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-45051 / GHSA-6c99-87fr-6q7r in OpenAM. The
WebAuthn authentication module can deserialize attacker-controlled data from a
writable storage attribute and reach application-server RCE. Produce exactly
one output:

- A reviewer-ready PR/change request that upgrades OpenAM, constrains WebAuthn
  storage to server-managed attributes, adds regression checks, and documents
  operator follow-up, or
- TRIAGE.md if this repository does not control an affected OpenAM deployment.

## Rules

- Scope only CVE-2026-45051 and directly related WebAuthn storage hardening.
- Do not generate or execute gadget payloads, ysoserial payloads, or live
  exploit attempts.
- Treat directory data, serialized blobs, credentials, MFA material, and user
  records as sensitive.
- Do not widen authentication bypass, attribute write permissions, or LDAP ACLs
  while testing.
- Do not auto-merge.

## Steps

1. Inventory every OpenAM dependency, image, deployment manifest, Helm chart,
   and runtime config controlled by this repository.
2. Confirm whether any deployment runs OpenAM `<=16.0.6` and whether WebAuthn
   is enabled or reachable.
3. Locate the WebAuthn authenticator storage configuration, especially
   `userAttribute` or equivalent realm/module settings.
4. Determine whether that attribute is writable by end users, delegated admins,
   provisioning pipelines, self-registration, or direct directory sync paths.
5. If the repository does not control the affected runtime, stop with
   `TRIAGE.md` naming the owning team, vulnerable version, and required fixed
   version `16.1.1+`.
6. Upgrade OpenAM to `16.1.1+` and refresh lockfiles, images, manifests, SBOMs,
   and deployment docs.
7. Lock WebAuthn storage to a server-managed non-user-writable attribute and
   remove unsafe attribute mappings or realm defaults.
8. Add tests, policy checks, or config validation proving writable profile
   fields cannot be used as WebAuthn authenticator storage.
9. Add a PR body section named `CVE-2026-45051 operator actions` covering:
   - versions before and after;
   - whether WebAuthn was enabled;
   - which attribute was used for storage before and after;
   - whether LDAP ACL or provisioning review is still required;
   - validation that passed.
10. Run available validation: tests, build, image build, deployment render,
    config lint, and dependency/security scans.
11. Use PR title:
    `fix(sec): harden OpenAM WebAuthn storage for CVE-2026-45051`.

## Stop conditions

- No affected OpenAM runtime is controlled by this repository.
- WebAuthn is disabled everywhere and the repository cannot change the deployed
  runtime.
- Verification requires live exploit payloads or unsafe directory writes.
- Storage attribute ownership is unclear across multiple external identity
  systems; document the uncertainty in `TRIAGE.md`.

Output contract

  • A reviewer-ready PR or change request that upgrades OpenAM, locks WebAuthn storage to server-managed attributes, blocks unsafe writes, adds regression checks, and documents realm rollout.
  • Or a TRIAGE.md file that lists inspected files/config, owner, observed version, WebAuthn storage boundary, writable attributes, required fix, and residual risk.
  • The output must include exact validation commands and must not deserialize payloads against production, expose authenticator material, or print user PII.

Verification - what the reviewer looks for

  • No controlled OpenAM deployment resolves <=16.0.6.
  • WebAuthn storage points to a server-managed attribute that users cannot modify.
  • Realm/module configuration tests fail closed if userAttribute is changed to a writable field.
  • Operator notes call out any required LDAP ACL or provisioning cleanup.

Watch for

  • Upgrading the package but leaving an unsafe writable attribute mapping in realm configuration.
  • Directory write paths owned by other teams that can still mutate the chosen WebAuthn storage field.
  • Multiple OpenAM realms with different WebAuthn module settings.

References