CVE-2026-45048: OpenAM Authenticated Privilege Escalation via Session RPC Token Disclosure
A missing ownership check in OpenAM's session management endpoint lets any logged-in user fetch the active session token of any other user, including admins, enabling full privilege escalation.
The problem
OpenAM's PLL session service endpoint (`/sessionservice`) accepts a `_target` parameter identifying any user session. It authenticates the caller but never checks whether the caller owns the requested session.
Any low-privilege account can query the session credentials of a higher-privilege user, including administrators. With the returned session token the attacker can impersonate that user across every application protected by OpenAM.
Proof of concept
curl -s -X GET \
'https://openam.example.com/openam/sessionservice?_target=amadmin' \
-H 'Cookie: iPlanetDirectoryPro=<low-privilege-session-token>'The root cause is CWE-285 (Improper Authorization): the session RPC handler resolves and returns `SessionInfo` for the token ID supplied in `_target` without comparing the session owner to the authenticated caller. The raw session token present in the response can be replayed directly as a `Cookie: iPlanetDirectoryPro` value.
The patch in 16.1.1 adds an ownership/privilege check before the session info is returned, refusing the lookup when the caller does not own the target session and is not an administrator. This mirrors the fix applied to the same class of bug in ForgeRock Access Management under CVE-2021-4201.
The fix
Upgrade to OpenAM Community Edition 16.1.1 or later. If an immediate upgrade is not possible, restrict network-level access to `/sessionservice` to trusted administrative hosts only and monitor for requests from non-admin accounts carrying unusual `_target` parameter values.