CVE-2026-44203: OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl)

June 22, 2026

The OAuth 2.0 / OpenID Connect authorization endpoint does not sufficiently sanitize certain user-supplied parameters before incorporating them into the HTML response generated for the form_post response mode. This may allow an attacker to inject content into the rendered page in the context of the OpenAM origin.

References

github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1
github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-fq9h-c788-fx73
github.com/advisories/GHSA-fq9h-c788-fx73
nvd.nist.gov/vuln/detail/CVE-2026-44203

Code Behaviors & Features

Detect and mitigate CVE-2026-44203 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →