CVE-2026-45051: OpenAM WebAuthn Authenticator Java Deserialization RCE
OpenAM's WebAuthn authentication module deserializes a Java object read directly from a user-controlled LDAP attribute with no class filtering, allowing an attacker who can write to that attribute to
The problem
The openam-auth-webauthn module stores and retrieves authenticator registration data by reading a value from a configurable LDAP user attribute and passing it through a raw Java ObjectInputStream with no class whitelist or filter. Any data in that attribute is trusted completely.
If an attacker can write arbitrary bytes to that attribute (via delegated LDAP access, legacy REST self-registration, or a misconfigured userAttribute setting), they can plant a serialized Java gadget chain. The next time OpenAM reads the attribute during a WebAuthn authentication flow, deserialization fires and executes attacker-controlled code as the application server process.
The fix
Upgrade openam-auth-webauthn to version 16.1.1 or later. Before upgrading, audit the configured WebAuthn userAttribute in every realm: confirm it maps to an LDAP attribute that is strictly server-managed and not writable by end users, self-registration flows, or delegated admins.
If the attribute is writable, treat it as actively exploitable and rotate credentials for the application server user.