CVE-2026-45052 - OpenAM Liberty Discovery authz bypass

OpenAM Community Edition through 16.0.6 lets an unauthenticated network attacker write persistent Liberty Discovery records through legacy SOAP endpoints. The vulnerable Liberty Web Services receiver performs writes server-side, bypassing requester LDAP and identity ACLs, and the global Discovery path uses an internal admin token.

This is a legacy federation surface. Even if downstream Liberty consumers are rare, the write itself is pre-auth and persistent.

When to use it

Use this recipe when an OpenAM deployment exposes legacy Liberty Web Services, SOAP receivers, or discovery endpoints. It supports source-code/configuration remediation, federation-surface review, pre-auth write prevention, and audit evidence that unauthenticated callers cannot persist discovery entries with server-side privileges.

Inputs

  • OpenAM version, Liberty endpoint exposure, SOAP receiver config, Discovery service settings, realm policy, and reverse proxy/network controls.
  • Source/config paths that enable Liberty endpoints, perform discovery writes, use internal admin tokens, or authorize SOAP requests.
  • Regression fixtures for unauthenticated callers, authenticated allowed callers, disabled endpoints, denied writes, and persistent-entry cleanup.
  • Boundary evidence: exposed endpoints, realms, persisted records, logs, downstream Liberty consumers, and owner for endpoint disablement.

Affected versions

Package Vulnerable versions Fixed versions
org.openidentityplatform.openam:openam-federation-library <=16.0.6 16.1.1

Indicator-of-exposure

  • The repository deploys OpenAM <=16.0.6.
  • Liberty ID-WSF / Discovery / IDPP SOAP endpoints are enabled, deployed, or network reachable.
  • Discovery records are stored in LDAP or similar persistent backing stores.
  • Internal services or integrations still consume Liberty discovery data for routing or mechanism selection.

Quick checks:

rg -n "Liberty|ID-WSF|Discovery|SOAP|openam-federation-library|idpp|discovery" .
find . -iname "pom.xml" -o -iname "build.gradle*" | xargs rg -n "openam-federation-library|16\.0\.6|16\.1\.1"

Windows:

rg -n "Liberty|ID-WSF|Discovery|SOAP|openam-federation-library|idpp|discovery" .
rg -n "openam-federation-library|16\.0\.6|16\.1\.1" pom.xml build.gradle* . 2>$null

Remediation strategy

  • Upgrade OpenAM to 16.1.1+.
  • Disable Liberty Discovery / ID-WSF endpoints entirely if the deployment does not intentionally rely on them.
  • If Liberty must remain enabled, restrict network reachability to trusted callers and audit stored Discovery data for tampering.
  • Add regression checks to ensure anonymous SOAP writes cannot persist Discovery records.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-45052 / GHSA-p462-xxwx-pqf4 in OpenAM. Legacy
Liberty Discovery SOAP endpoints permit anonymous persistent writes performed
with elevated server-side privileges. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades OpenAM, removes or locks
  down the Liberty surface, adds tests or config guards, and documents cleanup,
  or
- TRIAGE.md if this repository does not control an affected OpenAM deployment.

## Rules

- Scope only CVE-2026-45052 and directly related Liberty Discovery hardening.
- Do not perform live unauthorized write attempts against production identity
  stores.
- Treat Discovery records, realm config, directory data, and service endpoints
  as sensitive.
- Prefer disabling unused Liberty surfaces over preserving legacy exposure.
- Do not auto-merge.

## Steps

1. Inventory every OpenAM dependency, image, manifest, and runtime config
   controlled by this repository.
2. Confirm whether any deployment runs OpenAM `<=16.0.6`.
3. Identify whether Liberty ID-WSF / Discovery / IDPP SOAP endpoints are
   enabled, routable, or exposed through ingress, API gateways, or internal
   meshes.
4. Determine whether anything still consumes Liberty Discovery records.
5. If the repository does not control the affected runtime, stop with
   `TRIAGE.md` naming the owning team, vulnerable version, and required fixed
   version `16.1.1+`.
6. Upgrade OpenAM to `16.1.1+` and refresh locks, images, manifests, SBOMs,
   and deployment documentation.
7. If Liberty is unused, disable the affected endpoints and remove stale routes.
8. If Liberty is required, enforce trusted-caller reachability and add tests or
   config checks proving anonymous requests cannot persist Discovery writes.
9. Add a PR body section named `CVE-2026-45052 operator actions` covering:
   - versions before and after;
   - whether Liberty endpoints were disabled or restricted;
   - whether Discovery data review or cleanup is required;
   - affected routes and network boundaries;
   - validation that passed.
10. Run available validation: tests, build, image build, deployment render,
    route policy checks, and dependency/security scans.
11. Use PR title:
    `fix(sec): close OpenAM Liberty discovery bypass`.

## Stop conditions

- No affected OpenAM runtime is controlled by this repository.
- Liberty is managed externally and cannot be changed from this repo.
- Verification would require unsafe writes to live identity data.
- Removing Liberty would break unknown legacy consumers; document the owner and
  dependency in `TRIAGE.md`.

Output contract

  • A reviewer-ready PR or change request that upgrades OpenAM, disables unused Liberty endpoints, enforces authorization on discovery writes, adds regression checks, and documents cleanup of persisted records.
  • Or a TRIAGE.md file that lists inspected config, owner, observed version, Liberty exposure, discovery-write boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not write to production discovery stores, expose identity data, or print admin tokens.

Verification - what the reviewer looks for

  • No controlled OpenAM deployment resolves <=16.0.6.
  • Liberty SOAP endpoints are disabled where unused, or otherwise tightly scoped and no longer allow anonymous persistent writes.
  • Config or integration tests cover the protected Discovery write path.
  • Cleanup notes address review of previously persisted Discovery entries.

Watch for

  • Upgrading the library while leaving legacy SOAP routes reachable through old ingress rules.
  • Shared root-realm Discovery branches that need data review after the fix.
  • Hidden consumers of Liberty Discovery data in older partner integrations.

References