CVE-2026-45051 - OpenAM WebAuthn deserialization RCE
OpenAM Community Edition through 16.0.6 contains a Java deserialization flaw
in the WebAuthn authentication module. If an attacker can get attacker-
controlled serialized data written into the attribute that the WebAuthn module
reads for authenticator storage, and the WebAuthn flow is reachable, the
application server can deserialize that data and execute code in the server
context.
This is not the default configuration, but it is realistic in deployments that
made the WebAuthn userAttribute writable through delegated administration,
self-service registration, provisioning, or direct directory writes.
When to use it
Use this recipe when an OpenAM deployment enables WebAuthn or custom identity attribute storage for authenticators. It is designed for source-code and configuration remediation, deserialization risk review, delegated-admin boundary audit, and evidence that WebAuthn storage is server-managed and not attacker-writable.
Inputs
- OpenAM version, WebAuthn module configuration,
userAttributemapping, delegated administration policy, identity schema, and deployment exposure. - Source/config paths that read authenticator storage, deserialize Java data, write user attributes, or expose admin/self-service update flows.
- Regression fixtures for attacker-writable attributes, server-managed attributes, disabled WebAuthn, valid authenticator data, and denied writes.
- Boundary evidence: affected realms, writable attributes, admin roles, authentication logs, and remediation/rollback owner.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
org.openidentityplatform.openam:openam-auth-webauthn |
<=16.0.6 |
16.1.1 |
Indicator-of-exposure
- The repository deploys OpenAM
<=16.0.6. - WebAuthn authentication is enabled or reachable in any realm.
- The configured WebAuthn storage attribute is writable by end users, delegated admins, provisioning jobs, registration flows, or direct LDAP mutation outside a strictly server-managed path.
- The environment stores serialized WebAuthn credential objects inside LDAP or a similar attribute-backed identity store.
Quick checks:
rg -n "WebAuthn|userAttribute|openam-auth-webauthn|webauthn|serialized|LDAP" .
find . -iname "pom.xml" -o -iname "build.gradle*" | xargs rg -n "openam-auth-webauthn|16\.0\.6|16\.1\.1"
Windows:
rg -n "WebAuthn|userAttribute|openam-auth-webauthn|webauthn|serialized|LDAP" .
rg -n "openam-auth-webauthn|16\.0\.6|16\.1\.1" pom.xml build.gradle* . 2>$null
Remediation strategy
- Upgrade OpenAM to
16.1.1+. - Treat the WebAuthn storage attribute as server-managed only; do not allow user, delegated-admin, self-registration, or provisioning writes to it.
- Audit
userAttributeand related realm/module settings to ensure they point to a non-user-writable attribute. - Add regression checks that fail if WebAuthn is reconfigured to read from a writable profile field.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-45051 / GHSA-6c99-87fr-6q7r in OpenAM. The
WebAuthn authentication module can deserialize attacker-controlled data from a
writable storage attribute and reach application-server RCE. Produce exactly
one output:
- A reviewer-ready PR/change request that upgrades OpenAM, constrains WebAuthn
storage to server-managed attributes, adds regression checks, and documents
operator follow-up, or
- TRIAGE.md if this repository does not control an affected OpenAM deployment.
## Rules
- Scope only CVE-2026-45051 and directly related WebAuthn storage hardening.
- Do not generate or execute gadget payloads, ysoserial payloads, or live
exploit attempts.
- Treat directory data, serialized blobs, credentials, MFA material, and user
records as sensitive.
- Do not widen authentication bypass, attribute write permissions, or LDAP ACLs
while testing.
- Do not auto-merge.
## Steps
1. Inventory every OpenAM dependency, image, deployment manifest, Helm chart,
and runtime config controlled by this repository.
2. Confirm whether any deployment runs OpenAM `<=16.0.6` and whether WebAuthn
is enabled or reachable.
3. Locate the WebAuthn authenticator storage configuration, especially
`userAttribute` or equivalent realm/module settings.
4. Determine whether that attribute is writable by end users, delegated admins,
provisioning pipelines, self-registration, or direct directory sync paths.
5. If the repository does not control the affected runtime, stop with
`TRIAGE.md` naming the owning team, vulnerable version, and required fixed
version `16.1.1+`.
6. Upgrade OpenAM to `16.1.1+` and refresh lockfiles, images, manifests, SBOMs,
and deployment docs.
7. Lock WebAuthn storage to a server-managed non-user-writable attribute and
remove unsafe attribute mappings or realm defaults.
8. Add tests, policy checks, or config validation proving writable profile
fields cannot be used as WebAuthn authenticator storage.
9. Add a PR body section named `CVE-2026-45051 operator actions` covering:
- versions before and after;
- whether WebAuthn was enabled;
- which attribute was used for storage before and after;
- whether LDAP ACL or provisioning review is still required;
- validation that passed.
10. Run available validation: tests, build, image build, deployment render,
config lint, and dependency/security scans.
11. Use PR title:
`fix(sec): harden OpenAM WebAuthn storage for CVE-2026-45051`.
## Stop conditions
- No affected OpenAM runtime is controlled by this repository.
- WebAuthn is disabled everywhere and the repository cannot change the deployed
runtime.
- Verification requires live exploit payloads or unsafe directory writes.
- Storage attribute ownership is unclear across multiple external identity
systems; document the uncertainty in `TRIAGE.md`.
Output contract
- A reviewer-ready PR or change request that upgrades OpenAM, locks WebAuthn storage to server-managed attributes, blocks unsafe writes, adds regression checks, and documents realm rollout.
- Or a
TRIAGE.mdfile that lists inspected files/config, owner, observed version, WebAuthn storage boundary, writable attributes, required fix, and residual risk. - The output must include exact validation commands and must not deserialize payloads against production, expose authenticator material, or print user PII.
Verification - what the reviewer looks for
- No controlled OpenAM deployment resolves
<=16.0.6. - WebAuthn storage points to a server-managed attribute that users cannot modify.
- Realm/module configuration tests fail closed if
userAttributeis changed to a writable field. - Operator notes call out any required LDAP ACL or provisioning cleanup.
Watch for
- Upgrading the package but leaving an unsafe writable attribute mapping in realm configuration.
- Directory write paths owned by other teams that can still mutate the chosen WebAuthn storage field.
- Multiple OpenAM realms with different WebAuthn module settings.
Related recipes
- Source code authz tenant boundary audit
- Source code secrets and data exposure audit
- OWASP Top 10 2026 audit
- NIST SSDF repository evidence check
References
- GitHub Advisory: https://github.com/advisories/GHSA-6c99-87fr-6q7r
- Vendor advisory: https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-6c99-87fr-6q7r
- Release evidence: https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1