CVE-2026-47426: OpenAM OAuth Client Impersonation via JWKS Resolver Cache

June 29, 2026

Description

An Improper Authentication (CWE-287) issue in OpenAM’s OAuth2 private_key_jwt client authentication path allows any registered OAuth2 client to mint tokens in the name of any other client whose key is published via a jwks_uri, without knowing the victim’s signing key. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.

References

github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-f2cx-463q-7m2c
github.com/advisories/GHSA-f2cx-463q-7m2c
nvd.nist.gov/vuln/detail/CVE-2026-47426

Code Behaviors & Features

Detect and mitigate CVE-2026-47426 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →