GHSA-f2cx-463q-7m2c: OpenAM OAuth Client Impersonation via JWKS Resolver Cache
An authentication vulnerability in OpenAM Community Edition's OAuth2 private_key_jwt client authentication allows any registered OAuth2 client to mint tokens as any other client whose key is published via a jwks_uri, without needing the victim's signing key. This affects versions prior to 16.1.1 and was patched in 16.1.1. The issue enables token impersonation across any realm hosted by the affected OpenAM process.
AI Analysis
Technical Summary
CVE-2026-47426 is an Improper Authentication (CWE-287) vulnerability in OpenAM Community Edition's OAuth2 private_key_jwt client authentication path. The flaw allows an attacker who controls any registered OAuth2 client with keys published via jwks_uri to mint access tokens impersonating any other such client, without knowledge of the victim client's signing key. This impacts OpenAM versions before 16.1.1 and affects all realms hosted by the OpenAM instance. The vulnerability was fixed in version 16.1.1.
Potential Impact
An attacker with any registered OAuth2 client configured for private_key_jwt authentication and keys published via jwks_uri can impersonate any other client by minting access tokens in their name. This compromises client authentication integrity and could lead to unauthorized access across all realms managed by the vulnerable OpenAM deployment.
Mitigation Recommendations
This vulnerability is patched in OpenAM Community Edition version 16.1.1. Users should upgrade to version 16.1.1 or later to remediate this issue. No other mitigations are indicated by the vendor advisory.
GHSA-f2cx-463q-7m2c: OpenAM OAuth Client Impersonation via JWKS Resolver Cache
Description
An authentication vulnerability in OpenAM Community Edition's OAuth2 private_key_jwt client authentication allows any registered OAuth2 client to mint tokens as any other client whose key is published via a jwks_uri, without needing the victim's signing key. This affects versions prior to 16.1.1 and was patched in 16.1.1. The issue enables token impersonation across any realm hosted by the affected OpenAM process.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-47426 is an Improper Authentication (CWE-287) vulnerability in OpenAM Community Edition's OAuth2 private_key_jwt client authentication path. The flaw allows an attacker who controls any registered OAuth2 client with keys published via jwks_uri to mint access tokens impersonating any other such client, without knowledge of the victim client's signing key. This impacts OpenAM versions before 16.1.1 and affects all realms hosted by the OpenAM instance. The vulnerability was fixed in version 16.1.1.
Potential Impact
An attacker with any registered OAuth2 client configured for private_key_jwt authentication and keys published via jwks_uri can impersonate any other client by minting access tokens in their name. This compromises client authentication integrity and could lead to unauthorized access across all realms managed by the vulnerable OpenAM deployment.
Mitigation Recommendations
This vulnerability is patched in OpenAM Community Edition version 16.1.1. Users should upgrade to version 16.1.1 or later to remediate this issue. No other mitigations are indicated by the vendor advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-f2cx-463q-7m2c
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-47426"]
- Ecosystems
- ["Maven"]
- Database Specific Severity
- HIGH
- Cvss Version
- 4.0
Threat ID: 6a42ed2027e9c797199338bf
Added to database: 06/29/2026, 22:09:36 UTC
Last enriched: 06/29/2026, 22:15:41 UTC
Last updated: 06/30/2026, 01:04:19 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.