GHSA-gf57-4mp6-m85x: OpenAM Account Takeover via Unverified Password Change in OAuth2 Module
OpenAM Community Edition through version 16.0.6 contains a vulnerability in its OAuth2 authentication module where a user's password is silently reset to their username upon OAuth2 re-login. This allows an unauthenticated attacker to authenticate as that user using the username as both username and password. The issue also reactivates disabled accounts silently. The vulnerability is patched in version 16.1.1.
AI Analysis
Technical Summary
An Unverified Password Change and Use of Weak Credentials vulnerability exists in OpenAM Community Edition's OAuth2 authentication module. When a user re-logs in via OAuth2, the local password is overwritten with the username string. The default ldapService chain then accepts the username as the password, enabling unauthenticated attackers to gain a session with the victim's privileges by authenticating with username and password both set to the username. This affects versions prior to 16.1.1. Usernames shorter than the minimum password length are not affected. Disabled accounts are silently reactivated upon OAuth login. The vulnerability is fixed in version 16.1.1.
Potential Impact
Unauthenticated attackers can gain unauthorized access to user accounts by authenticating with the username as both username and password after the victim re-logs in via OAuth2. This grants attacker sessions with the victim's privileges. Additionally, disabled accounts may be silently reactivated, increasing risk. The vulnerability affects deployments using the OAuth2 module with account creation enabled.
Mitigation Recommendations
A patch is available in OpenAM Community Edition version 16.1.1. Users should upgrade to version 16.1.1 or later to remediate this vulnerability. No other mitigations are indicated by the vendor advisory.
GHSA-gf57-4mp6-m85x: OpenAM Account Takeover via Unverified Password Change in OAuth2 Module
Description
OpenAM Community Edition through version 16.0.6 contains a vulnerability in its OAuth2 authentication module where a user's password is silently reset to their username upon OAuth2 re-login. This allows an unauthenticated attacker to authenticate as that user using the username as both username and password. The issue also reactivates disabled accounts silently. The vulnerability is patched in version 16.1.1.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
An Unverified Password Change and Use of Weak Credentials vulnerability exists in OpenAM Community Edition's OAuth2 authentication module. When a user re-logs in via OAuth2, the local password is overwritten with the username string. The default ldapService chain then accepts the username as the password, enabling unauthenticated attackers to gain a session with the victim's privileges by authenticating with username and password both set to the username. This affects versions prior to 16.1.1. Usernames shorter than the minimum password length are not affected. Disabled accounts are silently reactivated upon OAuth login. The vulnerability is fixed in version 16.1.1.
Potential Impact
Unauthenticated attackers can gain unauthorized access to user accounts by authenticating with the username as both username and password after the victim re-logs in via OAuth2. This grants attacker sessions with the victim's privileges. Additionally, disabled accounts may be silently reactivated, increasing risk. The vulnerability affects deployments using the OAuth2 module with account creation enabled.
Mitigation Recommendations
A patch is available in OpenAM Community Edition version 16.1.1. Users should upgrade to version 16.1.1 or later to remediate this vulnerability. No other mitigations are indicated by the vendor advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-gf57-4mp6-m85x
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-46623"]
- Ecosystems
- ["Maven"]
- Database Specific Severity
- HIGH
- Cvss Version
- 4.0
Threat ID: 6a3ef79427e9c79719ff7bec
Added to database: 06/26/2026, 22:05:08 UTC
Last enriched: 06/26/2026, 22:18:43 UTC
Last updated: 06/26/2026, 22:18:43 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.