greprules.io
Sign inSubmit rule
Explore/cve-2026-33439-openam-application-object-input-stream-unsafe-deserialization

CVE-2026-33439: Openam Application Object Input Stream Unsafe Deserialization

Use of `ApplicationObjectInputStream` for Java deserialization. This class is a plain `ObjectInputStream` subclass with no `resolveClass` override and no class allowlist, so any call to `readObject()` on it with attacker-influenced bytes enables arbitrary class instantiation and RCE via well-known Java deserialization gadget chains (CVE-2026-33439 — bypass o

Provally CuratedPublic repositoryHighHigh confidenceVerifiedApache-2.0java
greprules fetch cve-2026-33439-openam-application-object-input-stream-unsafe-deserialization --engine opengrep

Description

Use of `ApplicationObjectInputStream` for Java deserialization. This class is a plain `ObjectInputStream` subclass with no `resolveClass` override and no class allowlist, so any call to `readObject()` on it with attacker-influenced bytes enables arbitrary class instantiation and RCE via well-known Java deserialization gadget chains (CVE-2026-33439 — bypass o

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
110 downloads0 direct110 via packs
· 0 stars · Trust score 91How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata