CVE-2026-45052 - OpenAM Liberty Discovery authz bypass
OpenAM Community Edition through 16.0.6 lets an unauthenticated network
attacker write persistent Liberty Discovery records through legacy SOAP
endpoints. The vulnerable Liberty Web Services receiver performs writes
server-side, bypassing requester LDAP and identity ACLs, and the global
Discovery path uses an internal admin token.
This is a legacy federation surface. Even if downstream Liberty consumers are rare, the write itself is pre-auth and persistent.
When to use it
Use this recipe when an OpenAM deployment exposes legacy Liberty Web Services, SOAP receivers, or discovery endpoints. It supports source-code/configuration remediation, federation-surface review, pre-auth write prevention, and audit evidence that unauthenticated callers cannot persist discovery entries with server-side privileges.
Inputs
- OpenAM version, Liberty endpoint exposure, SOAP receiver config, Discovery service settings, realm policy, and reverse proxy/network controls.
- Source/config paths that enable Liberty endpoints, perform discovery writes, use internal admin tokens, or authorize SOAP requests.
- Regression fixtures for unauthenticated callers, authenticated allowed callers, disabled endpoints, denied writes, and persistent-entry cleanup.
- Boundary evidence: exposed endpoints, realms, persisted records, logs, downstream Liberty consumers, and owner for endpoint disablement.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
org.openidentityplatform.openam:openam-federation-library |
<=16.0.6 |
16.1.1 |
Indicator-of-exposure
- The repository deploys OpenAM
<=16.0.6. - Liberty ID-WSF / Discovery / IDPP SOAP endpoints are enabled, deployed, or network reachable.
- Discovery records are stored in LDAP or similar persistent backing stores.
- Internal services or integrations still consume Liberty discovery data for routing or mechanism selection.
Quick checks:
rg -n "Liberty|ID-WSF|Discovery|SOAP|openam-federation-library|idpp|discovery" .
find . -iname "pom.xml" -o -iname "build.gradle*" | xargs rg -n "openam-federation-library|16\.0\.6|16\.1\.1"
Windows:
rg -n "Liberty|ID-WSF|Discovery|SOAP|openam-federation-library|idpp|discovery" .
rg -n "openam-federation-library|16\.0\.6|16\.1\.1" pom.xml build.gradle* . 2>$null
Remediation strategy
- Upgrade OpenAM to
16.1.1+. - Disable Liberty Discovery / ID-WSF endpoints entirely if the deployment does not intentionally rely on them.
- If Liberty must remain enabled, restrict network reachability to trusted callers and audit stored Discovery data for tampering.
- Add regression checks to ensure anonymous SOAP writes cannot persist Discovery records.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-45052 / GHSA-p462-xxwx-pqf4 in OpenAM. Legacy
Liberty Discovery SOAP endpoints permit anonymous persistent writes performed
with elevated server-side privileges. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades OpenAM, removes or locks
down the Liberty surface, adds tests or config guards, and documents cleanup,
or
- TRIAGE.md if this repository does not control an affected OpenAM deployment.
## Rules
- Scope only CVE-2026-45052 and directly related Liberty Discovery hardening.
- Do not perform live unauthorized write attempts against production identity
stores.
- Treat Discovery records, realm config, directory data, and service endpoints
as sensitive.
- Prefer disabling unused Liberty surfaces over preserving legacy exposure.
- Do not auto-merge.
## Steps
1. Inventory every OpenAM dependency, image, manifest, and runtime config
controlled by this repository.
2. Confirm whether any deployment runs OpenAM `<=16.0.6`.
3. Identify whether Liberty ID-WSF / Discovery / IDPP SOAP endpoints are
enabled, routable, or exposed through ingress, API gateways, or internal
meshes.
4. Determine whether anything still consumes Liberty Discovery records.
5. If the repository does not control the affected runtime, stop with
`TRIAGE.md` naming the owning team, vulnerable version, and required fixed
version `16.1.1+`.
6. Upgrade OpenAM to `16.1.1+` and refresh locks, images, manifests, SBOMs,
and deployment documentation.
7. If Liberty is unused, disable the affected endpoints and remove stale routes.
8. If Liberty is required, enforce trusted-caller reachability and add tests or
config checks proving anonymous requests cannot persist Discovery writes.
9. Add a PR body section named `CVE-2026-45052 operator actions` covering:
- versions before and after;
- whether Liberty endpoints were disabled or restricted;
- whether Discovery data review or cleanup is required;
- affected routes and network boundaries;
- validation that passed.
10. Run available validation: tests, build, image build, deployment render,
route policy checks, and dependency/security scans.
11. Use PR title:
`fix(sec): close OpenAM Liberty discovery bypass`.
## Stop conditions
- No affected OpenAM runtime is controlled by this repository.
- Liberty is managed externally and cannot be changed from this repo.
- Verification would require unsafe writes to live identity data.
- Removing Liberty would break unknown legacy consumers; document the owner and
dependency in `TRIAGE.md`.
Output contract
- A reviewer-ready PR or change request that upgrades OpenAM, disables unused Liberty endpoints, enforces authorization on discovery writes, adds regression checks, and documents cleanup of persisted records.
- Or a
TRIAGE.mdfile that lists inspected config, owner, observed version, Liberty exposure, discovery-write boundary, required fix, and residual risk. - The output must include exact validation commands and must not write to production discovery stores, expose identity data, or print admin tokens.
Verification - what the reviewer looks for
- No controlled OpenAM deployment resolves
<=16.0.6. - Liberty SOAP endpoints are disabled where unused, or otherwise tightly scoped and no longer allow anonymous persistent writes.
- Config or integration tests cover the protected Discovery write path.
- Cleanup notes address review of previously persisted Discovery entries.
Watch for
- Upgrading the library while leaving legacy SOAP routes reachable through old ingress rules.
- Shared root-realm Discovery branches that need data review after the fix.
- Hidden consumers of Liberty Discovery data in older partner integrations.
Related recipes
- Source code authz tenant boundary audit
- Source code secrets and data exposure audit
- NIST SSDF repository evidence check
- SOC 2 change management evidence check
References
- GitHub Advisory: https://github.com/advisories/GHSA-p462-xxwx-pqf4
- Vendor advisory: https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-p462-xxwx-pqf4
- Release evidence: https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1