GHSA-4v2w-2wqp-mc85

## Summary

**Description**

An Improper Authorization (CWE-285) issue in OpenAM's OAuth2 authorization-code grant allows a PKCE-protected authorization code to be redeemed without the required code_verifier. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1.

The authorize endpoint stores a code_challenge on the issued code, but the token endpoint only requires a code_verifier when the realm-wide codeVerifierEnforced setting is enabled, which ships disabled by default. With that setting off, the stored challenge is checked only if the caller supplies a verifier, so omitting the parameter skips PKCE verification entirely.

## Impact OpenAM Community Edition deployments through version 16.0.6 using the default OAuth2 provider configuration are potentially affected. For public clients, an attacker who intercepts an authorization code can exchange it for tokens without knowing the verifier. For confidential clients, the attacker additionally needs client authentication material or an execution context that can redeem the code. A token request supplying an incorrect verifier is still rejected. The bypass is specifically the missing-parameter path.

## Patch This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.