GHSA-4v2w-2wqp-mc85: OpenAM OAuth Authorization Bypass via PKCE Challenge
An authorization bypass vulnerability exists in OpenAM Community Edition's OAuth2 authorization-code grant implementation through version 16.0.6. The flaw allows a PKCE-protected authorization code to be redeemed without supplying the required code_verifier when the realm-wide enforcement setting is disabled (the default). This enables an attacker who intercepts an authorization code to exchange it for tokens without the verifier, bypassing PKCE protections. The issue was patched in version 16.1.1.
AI Analysis
Technical Summary
OpenAM Community Edition versions prior to 16.1.1 have an improper authorization vulnerability (CWE-285) in their OAuth2 authorization-code grant flow related to PKCE enforcement. The authorize endpoint stores a code_challenge with the issued code, but the token endpoint only requires a code_verifier if the realm-wide codeVerifierEnforced setting is enabled, which is disabled by default. If this setting is off, the token endpoint verifies the code_verifier only if supplied, allowing omission to bypass PKCE verification. This allows attackers who intercept authorization codes to redeem them without the verifier, potentially obtaining tokens without proper authorization. Confidential clients require additional authentication material to exploit. The vulnerability is fixed in OpenAM Community Edition version 16.1.1.
Potential Impact
Deployments of OpenAM Community Edition through version 16.0.6 using default OAuth2 provider settings are vulnerable. Attackers intercepting authorization codes for public clients can redeem tokens without the PKCE code_verifier, bypassing intended security controls. For confidential clients, exploitation requires additional client authentication material or execution context. Incorrect code_verifier submissions are rejected; the bypass occurs only when the parameter is omitted. This weakens the security of OAuth2 authorization flows relying on PKCE.
Mitigation Recommendations
A fix is available in OpenAM Community Edition version 16.1.1. Users should upgrade to version 16.1.1 or later to remediate this vulnerability. Until upgraded, enabling the realm-wide codeVerifierEnforced setting may mitigate the issue by enforcing PKCE verification on all token requests.
GHSA-4v2w-2wqp-mc85: OpenAM OAuth Authorization Bypass via PKCE Challenge
Description
An authorization bypass vulnerability exists in OpenAM Community Edition's OAuth2 authorization-code grant implementation through version 16.0.6. The flaw allows a PKCE-protected authorization code to be redeemed without supplying the required code_verifier when the realm-wide enforcement setting is disabled (the default). This enables an attacker who intercepts an authorization code to exchange it for tokens without the verifier, bypassing PKCE protections. The issue was patched in version 16.1.1.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenAM Community Edition versions prior to 16.1.1 have an improper authorization vulnerability (CWE-285) in their OAuth2 authorization-code grant flow related to PKCE enforcement. The authorize endpoint stores a code_challenge with the issued code, but the token endpoint only requires a code_verifier if the realm-wide codeVerifierEnforced setting is enabled, which is disabled by default. If this setting is off, the token endpoint verifies the code_verifier only if supplied, allowing omission to bypass PKCE verification. This allows attackers who intercept authorization codes to redeem them without the verifier, potentially obtaining tokens without proper authorization. Confidential clients require additional authentication material to exploit. The vulnerability is fixed in OpenAM Community Edition version 16.1.1.
Potential Impact
Deployments of OpenAM Community Edition through version 16.0.6 using default OAuth2 provider settings are vulnerable. Attackers intercepting authorization codes for public clients can redeem tokens without the PKCE code_verifier, bypassing intended security controls. For confidential clients, exploitation requires additional client authentication material or execution context. Incorrect code_verifier submissions are rejected; the bypass occurs only when the parameter is omitted. This weakens the security of OAuth2 authorization flows relying on PKCE.
Mitigation Recommendations
A fix is available in OpenAM Community Edition version 16.1.1. Users should upgrade to version 16.1.1 or later to remediate this vulnerability. Until upgraded, enabling the realm-wide codeVerifierEnforced setting may mitigate the issue by enforcing PKCE verification on all token requests.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-4v2w-2wqp-mc85
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48717"]
- Ecosystems
- ["Maven"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 4.0
Threat ID: 6a42ed2027e9c797199338bb
Added to database: 06/29/2026, 22:09:36 UTC
Last enriched: 06/29/2026, 22:15:32 UTC
Last updated: 06/30/2026, 00:44:42 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.