CVE-2026-47424: OpenAM Authenticated RCE via Groovy Sandbox Escape

June 29, 2026

Description

A Protection Mechanism Failure (CWE-693) in OpenAM’s server-side scripting sandbox allows an authenticated script author execute operating-system commands from the OpenAM JVM with the default class allow and deny lists. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.

References

github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-69j4-qvqr-hpw3
github.com/advisories/GHSA-69j4-qvqr-hpw3
nvd.nist.gov/vuln/detail/CVE-2026-47424

Code Behaviors & Features

Detect and mitigate CVE-2026-47424 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →