Patches pre-auth RCE in OpenAM jato.clientSession deserialization
TL;DR — OpenAM has a Critical unauthenticated Java deserialization bug that can be hit pre-login to execute commands via the jato.clientSession request parameter.
What happened
OpenAM (Open Access Management) is an access management / IAM server used to provide authentication and access control for applications. CVE-2026-33439 describes a pre-authentication remote code execution (RCE) issue caused by unsafe Java deserialization of the jato.clientSession HTTP parameter.
Per the CVE record, the bug bypasses a previous deserialization mitigation that was applied to a different parameter (jato.pageSession) after CVE-2021-35464, leaving jato.clientSession as an alternate deserialization entry point. An unauthenticated attacker can send a crafted serialized Java object as a jato.clientSession GET/POST parameter to vulnerable JATO ViewBean endpoints (the CVE calls out Password Reset pages as an example) and achieve arbitrary command execution.
| Item | Source value |
|---|---|
| Affected product | OpenIdentityPlatform OpenAM |
| Affected versions | < 16.0.6 |
| Severity | CVSS v4.0 9.3 (Critical) |
| CVSS v4.0 vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Pre-auth deserialization bugs are “front door” failures: they sit on internet-reachable request surfaces and tend to become high-value targets because they collapse auth boundaries into a single request parameter.
Who is impacted
- Deployments running
OpenIdentityPlatform OpenAMversions< 16.0.6. - Environments where OpenAM endpoints handling JATO ViewBeans are reachable from untrusted networks (internet-exposed or broadly reachable internal networks).
- Any OpenAM deployment where compromise of the IAM tier would cascade into broad application access (session issuance, SSO assertions, directory-backed authorization decisions).
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
"This vulnerability is fixed in 16.0.6."
- Inventory where
OpenAMis deployed (VMs, containers, Helm releases) and prioritize patching any instances reachable from untrusted networks. - Triage as an IAM-tier compromise-risk issue:
- review HTTP access logs for unexpected requests carrying
jato.clientSessionparameters to JATO ViewBean endpoints - if compromise is suspected, rotate credentials and secrets accessible to (or issued by) the OpenAM service (e.g., SSO signing keys / tokens, directory bind credentials) in line with your incident response process.
- review HTTP access logs for unexpected requests carrying
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.