CVE-2026-45794: OpenAM has Unsafe Java Deserialization via SNS

Description

A Deserialization of Untrusted Data (CWE-502) issue exists in OpenAM’s Push Notification SNS callback resource. The REST route that handles SNS push messages is mounted with anonymous access and, when a supplied message identifier has expired from the in-memory dispatcher, falls back to a CTS-stored predicate blob whose top-level keys are treated as Java class names and passed to Class.forName(…) before attacker-controlled JSON is deserialized via Jackson. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.

Arbitrary attacker-controlled code execution was not confirmed on tested stock classpaths for the latest release, but the flaw yields a reliable class-loading and Jackson-construction primitive whose impacts include remotely triggerable process execution, file writes, and DoS, depending on the deployment’s classpath and environment.