CVE-2026-44202: OpenAM Authenticated Server-Side Request Forgery (SSRF) via `/sessionservice`

OpenAM (Open Identity Platform) is an open-source Identity and Access Management (IAM) platform derived from ForgeRock OpenAM, providing SSO, OAuth2, SAML, and OpenID Connect capabilities. It is widely deployed in enterprise environments as a central authentication gateway.

The /sessionservice endpoint, used for internal session management operations, does not sufficiently restrict the URLs that authenticated users may register for session event notifications. Under certain conditions, this may result in outbound server-side requests to attacker-controlled destinations, potentially exposing session-related data.

This behavior results in a server-side request forgery (SSRF) vulnerability, where an authenticated attacker can trigger outbound requests to arbitrary destinations.