16.1.1

What's Changed

• CVE-2026-33672 CVE-2026-33671: Method injection in POSIX character classes causes incorrect glob matching Related glob security issue patched in the same release by @Copilot in #970
• CVE-2026-33870 Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing by @dependabot[bot] in #972
• CVE-2025-67030 Plexus-Utils has a Directory Traversal vulnerability in its extractFile method by @dependabot[bot] in #974
• CVE-2026-4800 CVE-2026-2950 lodash vulnerable to Code Injection via _.template imports key names lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit by @dependabot[bot] in #978
• CVE-2026-27315 CVE-2026-32588 Apache Cassandra has sensitive Information Leak in cqlsh + has an authenticated DoS over CQL by @dependabot[bot] in #981
• CVE-2025-64718 js-yaml has prototype pollution in merge (<<) by @dependabot[bot] in #994
• CVE-2026-21884 CVE-2026-22029 CVE-2026-22030 React Router SSR XSS in ScrollRestoration ,vulnerable to XSS via Open Redirects, CSRF issue in Action/Server Action Request Processing by @dependabot[bot] in #993
• CVE-2026-27606 Rollup 4 has Arbitrary File Write via Path Traversal by @dependabot[bot] in #992
• CVE-2026-33228 CVE-2026-32141 Prototype Pollution via parse() in NodeJS flatted, flatted vulnerable to unbounded recursion DoS in parse() revive phase by @dependabot[bot] in #991
• CVE-2026-39364 CVE-2026-39365 CVE-2026-39363 CVE-2025-62522 Vite: server.fs.deny bypassed, Path Traversal in Optimized Deps, Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket, server.fs.deny bypass via backslash on Windows by @dependabot[bot] in #990
• CVE-2026-4800 CVE-2025-13465 CVE-2026-2950 lodash vulnerable to Code Injection via _.template imports key names, odash has Prototype Pollution Vulnerability in _.unset and _.omit functions by @dependabot[bot] in #989
• CVE-2026-29063 Immutable is vulnerable to Prototype Pollution by @dependabot[bot] in #988
• CVE-2026-33671 CVE-2026-33672 Picomatch has a ReDoS vulnerability Picomatch: Method Injection in POSIX Character Classes by @dependabot[bot] in #987
• CVE-2026-26996 CVE-2026-27903 CVE-2026-27904 minimatch has a ReDoS by @dependabot[bot] in #986
• GHSA-r4q5-vmmm-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets by @dependabot[bot] in #985
• CVE-2025-13465 Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions by @dependabot[bot] in #995
• CVE-2026-26996 CVE-2026-27903 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern, minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments by @dependabot[bot] in #996
• CVE-2026-26996 CVE-2026-27903 minimatch has a ReDoS via repeated wildards with non-matching literal in pattern, minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments by @maximthomas in #997
• CVE-2026-27903 CVE-2026-27904 CVE-2026-26996 UI: update grunt to 1.6.2 to address vulnerabilities by @maximthomas in #998
• CVE-2025-12383 a race condition (CWE-362) that can cause SSL/TLS settings (mTLS, custom key/trust stores) to be silently ignored under concurrent connection load, enabling certificate bypass / MITM by @Copilot in #1001
• CVE-2025-8916 unbounded memory allocation in PKIXCertPathReviewer when processing malicious certificate chains with oversized name constraint structures, enabling DoS by @Copilot in #1002
• CVE-2025-7962 Jakarta Mail vulnerable to SMTP Injection by @dependabot[bot] in #1005
• CVE-2026-41305 PostCSS has XSS via Unescaped </style> in its CSS Stringify Output by @dependabot[bot] in #1009
• CVE-2026-42577 Netty epoll transport denial of service via RST on half-closed TCP connection by @dependabot[bot] in #1016
• CVE-2026-44728 @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input by @dependabot[bot] in #1019
• CVE-2026-6321 CVE-2026-6322 fast-uri vulnerable via percent-encoded dot segments by @dependabot[bot] in #1018
• CVE-2026-6321 CVE-2026-6322 fast-uri vulnerable via percent-encoded dot segments by @dependabot[bot] in #1017
• CVE-2026-43869 Apache Thrift has an Improper Validation of Certificate with Host Mismatch Vulnerability by @vharseko in #1020
• CVE-2026-8723 qs has a remotely triggerable DoS by @dependabot[bot] in #1026
• CVE-2026-44705 tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape by @dependabot[bot] in #1029
• CVE-2026-47429 When Vitest UI server is listening, arbitrary file can be read and executed by @dependabot[bot] in #1032
• CVE-2026-22029 React Router vulnerable to XSS by @dependabot[bot] in #1035
• CVE-2026-45536 CVE-2026-45416 CVE-2026-44249 Netty: Unix-socket fd receive leaks descriptors when peer sends two at once Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking by @vharseko in #1041
• CVE-2025-66453 replace servicemix rhino bundle with org.mozilla:rhino:1.7.15.1 by @Copilot in #1037
• GHSA-g7r4-m6w7-qqqr esbuild allows arbitrary file read when running the development server on Windows by @dependabot[bot] in #1043
• CVE-2026-53550 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases by @dependabot[bot] in #1048
• CVE-2026-53663 React Router: Potential CSRF via PUT/PATCH/DELETE document requests by @dependabot[bot] in #1053
• CVE-2026-48988 CVE-2026-2327 markdown-it is has a Regular Expression Denial of Service (ReDoS) by @dependabot[bot] in #1052
• CVE-2026-49356 @babel/core: Arbitrary File Read via sourceMappingURL Comment by @dependabot[bot] in #1049
• CVE-2026-41573 LDAP Injection via _queryId Parameter thanks @nn0nkey / JD-Security SHENYI Team
• CVE-2026-44202 Authenticated Server-Side Request Forgery (SSRF) via /sessionservice thanks @nn0nkey / JD-Security SHENYI Team
• CVE-2026-44203 Pre-authentication Reflected XSS OAuth2 / OIDC thanks @gujjuboy10x00
• CVE-2026-44793 Pre-authentication Reflected XSS in SAML2 Cluster Cookie-Hash-Redirect Path thanks @gujjuboy10x00
• CVE-2026-45049 Session Hijacking via CDSSO thanks @wodzen
• CVE-2026-45048 Arbitrary Session Hijacking via Session Service RPC thanks @wodzen
• CVE-2026-45051 Conditional RCE via Java Deserialization in WebAuthn thanks @wodzen
• CVE-2026-45052 Anonymous Authentication via Liberty SOAP thanks @wodzen
• CVE-2026-45794 Unsafe Java Deserialization via Push Notification thanks @wodzen
• CVE-2026-46498 Arbitrary OAuth Token Minting via Push Registration thanks @wodzen
• CVE-2026-46560 Authentication Bypass via RADIUS Spoofing thanks @wodzen
• CVE-2026-46619 Authentication Bypass via MSISDN LDAP Injection thanks @wodzen
• CVE-2026-46623 Account Takeover via OAuth2 Unverified Password Change thanks @wodzen
• CVE-2026-47424 Authenticated RCE via Groovy Sandbox Escape thanks @wodzen
• CVE-2026-47426 OAuth Client Impersonation via JWKS Resolver Cache thanks @wodzen
• CVE-2026-48717 OAuth Authorization Bypass via PKCE Challenge thanks @wodzen
• CVE-2026-53660 Insecure SSO Cookie Initialization thanks @wodzen
• Support HttpOnly session cookie in XUI by @vharseko in #1036
• Include acr and amr claims in stateless JWT access tokens by @vharseko in #1033
• Add OAuth2 Access Token Modification Script (OAUTH2_ACCESS_TOKEN_MODIFICATION) by @vharseko in #1034
• Create base entry on external configuration store during setup by @vharseko in #1045
• OpenAM MCP server by @maximthomas in #935
• OpenAM UI JS SDK by @maximthomas in #941
• Fix SLO sendin...

16.0.6

What's Changed

• CVE-2026-2391 qs's arrayLimit bypass in comma parsing allows denial of service by @dependabot[bot] in #960
• CVE-2026-32141 CVE-2026-33228 flatted vulnerable to unbounded recursion DoS in parse() + Prototype Pollution via parse() in NodeJS flatted by @dependabot[bot] in #966
• CVE-2026-33439 Pre-Authentication Remote Code Execution via jato.clientSession Deserialization in OpenAM by @maximthomas thanks @iamnoooob @hacktronai-research
• Can't set the SameSite cookie attribute in XUI by @maximthomas thanks @IvanAndrukh #965
• Update opendj.version to 5.0.4 by @vharseko in #964

Full Changelog: 16.0.5...16.0.6

16.0.5

What's Changed

• CVE-2025-67735 Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder by @dependabot[bot] in #949
• CVE-2025-15284 qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion by @dependabot[bot] in #950
• CVE-2025-13465 Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions by @dependabot[bot] in #953
• CVE-2025-13465 Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. by @maximthomas in #954
• [#951] Set explicit xmlsec dependency for openam-federation-library by @maximthomas in #952 thanks @igieon
• [#955] Update JSTL to Jakarta 2.0.0 version by @maximthomas in #957 thanks @FireBurn
• [#956] Add OpenAM secondary instances to the Docker test in build.yml by @maximthomas in #959 thanks @FireBurn
• Update org.openidentityplatform.opendj to 5.0.3 by @vharseko in #947
• fix javadoc build by @maximthomas in #948

Full Changelog: 16.0.4...16.0.5

16.0.4

What's Changed

• CVE-2025-66453 Rhino has high CPU usage and potential DoS by @dependabot[bot] in #943
• CVE-2025-12183 CVE-2025-66566 LZ4 vulnerabilities by @maximthomas in #946
• Update ESAPI to 2.7.0.0 and switch to the jakarta classifier by @maximthomas in #938
• Update org.openidentityplatform.opendj to 5.0.2 by @vharseko in #940
• Fix Fedlet blank index page by @maximthomas in #939
• Docs: set supported Java and Tomcat versions by @maximthomas in #944

Full Changelog: 16.0.3...16.0.4

16.0.3

What's Changed

• Update target JDK to 11 and move to JakartaEE 9 by @maximthomas in #889
• Add support LTS JDK 25 by @vharseko in #924
• Update base docker image Java version to 25 LTS by @maximthomas in #927
• CVE-2023-45133: Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code by @maximthomas in #922
• CVE-2024-53382 PrismJS DOM Clobbering vulnerability (update swagger-ui) by @maximthomas in #923
• CVE-2025-64099 Using arbitrary OIDC requested claims values in id_token and user_info is allowed
• Fix OAuth2 issues: Restore 'none' token endpoint auth method. Do not add default openid scope if non-empty. by @maximthomas in #926
• Shade BC libs to avoid conflict with BC FIPS by @maximthomas in #930
• [#931] Update OpenDMK external library to fix SNMP monitoring by @maximthomas in #932
• Update org.openidentityplatform.opendj to 5.0.1 by @vharseko in #933
• Fix documentation auth modules duplicate attributes by @maximthomas in #921
• Build & deploy: add branch sustaining/15.2.x by @vharseko in #925
• Set the project version for transformed artifacts. by @maximthomas in #934

Full Changelog: 15.2.2...16.0.3

15.2.2

What's Changed

• CVE-2025-8916 Allocation of Resources Without Limits or Throttling vulnerability by @maximthomas in #909
• CVE-2025-9288 ha.js is missing type checks leading to hash rewind and passing on crafted data by @dependabot[bot] in #908
• CVE-2025-26467 Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions by @dependabot[bot] in #911
• CVE-2025-5889 brace-expansion Regular Expression Denial of Service vulnerability by @dependabot[bot] in #914
• [#913] CVE-2024-38999 requirejs v2.3.6 was discovered to contain a prototype pollution by @maximthomas in #915
• CVE-2025-58056 Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions by @dependabot[bot] in #919
• CVE-2025-8662 Tampering with request parameters may modify OpenAM’s internal cache, causing the SAML IdP to not function properly by @tsujiguchitky in #920
• Fix JavaDoc build error in GitHub actions by @maximthomas in #906
• Update README.md: add backers and sponsor by @vharseko in #907
• ISSUE_TEMPLATE: add "Vote to raise the priority" by @vharseko in #910
• Bump org.openidentityplatform.opendj 4.10.2 by @vharseko in #918
• Generate authentication modules reference in AsciiDoc format by @maximthomas in #916

Full Changelog: 15.2.1...15.2.2

15.2.1

What's Changed

• CVE-2025-7783 form-data uses unsafe random function in form-data for choosing boundary by @dependabot[bot] in #890
• CVE-2025-7783: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution by @maximthomas in #894
• Bump org.openidentityplatform.opendj 4.10.1 by @vharseko in #895
• [#896] CVE-2022-34169 Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets by @vharseko in #897
• CVE-2025-54798 tmp allows arbitrary temporary file / directory write via symbolic link dir parameter by @dependabot[bot] in #898
• Remove import javax.xml.rpc StringHolder (make inner) by @vharseko in #901
• Run frontend Karma tests during the Maven test phase by @maximthomas in #902
• [#903] Fix ambiguous class loading from the Jato library by @maximthomas in #904

Full Changelog: 15.2.0...15.2.1

15.2.0

What's Changed

• CVE-2019-11358 CVE-2020-11023 Update jQuery to 3.7.1 by @maximthomas in #878
• CVE-2025-48976 Apache Commons FileUpload: FileUpload DoS via part headers by @dependabot[bot] in #883
• CVE-2025-48924 Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs by @vharseko in #887
• CVE-2025-48734 Apache Commons Improper Access Control vulnerability by @dependabot[bot] in #870
• CVE-2018-8039 Apache CXF TLS hostname verification does not work correctly with com.sun.net.ssl.* by @dependabot[bot] in #871
• [#877] Return Bad Request error if CORS failed by @maximthomas in #882
• [#872] Add root group permission to the Docker $CATALINA_HOME directory by @maximthomas in #879
• FIX: Failed to execute goal org.apache.maven.plugins:maven-shade-plugin:3.2.1:shade Unsupported class file major version 61 by @vharseko in #885
• Bump org.openidentityplatform.opendj 4.10.0 by @vharseko in #888
• Docker integration test with OpenDJ separate instance by @maximthomas in #866
• Increase timeout for Chrome startup to 60s by @FireBurn in #869
• Deploy: migrating from Legacy OSSRH to Central Portal by @vharseko in #875
• Migrate tests from using fest-assert to AssertJ by @aldaris in #876

Full Changelog: 15.1.6...15.2.0

15.1.6

What's Changed

• [#859] Drop Oracle Directory Server Enterprise Edition support as configuration datastore by @maximthomas in #861
• [#859] Warn and continue loading LDIF schemas on install by @maximthomas in #860
• Add support Java SE 24 by @vharseko in #857
• Bump org.openidentityplatform.opendj to 4.9.4 by @vharseko in #854
• Add integration test with OpenDJ Docker container by @maximthomas in #863
• Update documentation formatting by @maximthomas in #867

Full Changelog: 15.1.5...15.1.6

15.1.5

What's Changed

• CVE-2025-27497 Fix Denial of Service (Dos) using alias loop by @vharseko in #843
• CVE-2025-26791 Bump dompurify and swagger-ui in /openam-ui/openam-ui-api by @dependabot in #856
• Fail fast when updating OpenDJ schema on OpenAM setup by @maximthomas in #849
• Add RemoteIpValve to the server.xml in Docker image by @maximthomas in #850 thanks @AndressRod
• [#845] Setup with embedded DJ may crash by @vharseko in #853 thanks @YinHangCode
• [#848] Fix OAuth2 error when use Connection: close header by @maximthomas in #855 thanks @AndressRod
• Docs: disable timestamp in javadoc by @maximthomas in #842
• Change github action distribution temurin->zulu by @vharseko in #841
• Bump @babel/runtime from 7.24.5 to 7.26.10 in /openam-ui/openam-ui-api by @dependabot in #847
• Bump axios from 1.7.7 to 1.8.3 in /openam-ui/openam-ui-api by @dependabot in #851
• Bump @babel/runtime-corejs3 from 7.25.6 to 7.26.10 in /openam-ui/openam-ui-api by @dependabot in #852

Full Changelog: 15.1.4...15.1.5