WebSphere Liberty flaws show how control planes can collapse

At a glance

What this is: Oligo Security’s research shows that multiple WebSphere Liberty flaws can collapse both pre-authentication SAML security and post-authentication AdminCenter role boundaries into full server compromise.

Why it matters: IAM, PAM, and NHI teams should treat administrative control planes as identity-critical assets, because broken file access, token material exposure, and weak secret protection can turn low privilege into complete compromise.

👉 Read Oligo Security's research on WebSphere Liberty control-plane flaws

Context

WebSphere Liberty is a Java application server that often sits inside enterprise authentication, administration, and configuration workflows. In this research, the primary issue is not just code execution risk, but the collapse of trust boundaries around SAML SSO, role-based access, and credential protection in the server’s management plane.

That matters to IAM and PAM teams because control-plane identities often hold the keys to wider infrastructure access. When a low-privilege account can read protected files, recover signing material, or reach administrative functions, the result is not a local bug. It is identity compromise with server-wide blast radius.

Key questions

Q: How should security teams handle reader-role access in administrative control planes?

A: Security teams should treat any role that can read configuration, token material, or encrypted secrets as privileged access. In a management plane, read access can be enough to recover credentials, forge tokens, or pivot into administrator actions. The right test is not whether the UI blocks edits, but whether the role can reach identity material that controls the server.

Q: Why do hardcoded secret-protection modes create long-term identity risk?

A: Hardcoded secret-protection modes create long-term risk because they make protected values reversible across systems, backups, and old snapshots. Once a fixed key or default password is known, every credential ever encoded with it becomes recoverable. That turns what looks like historical data into active identity material and extends exposure far beyond the live system.

Q: What breaks when a control plane exposes signing keys or configuration secrets?

A: When a control plane exposes signing keys or configuration secrets, role boundaries stop meaning much. An attacker can move from read-only access to token forgery, impersonation, and ultimately administrative control. In practice, the server’s identity trust model fails before the application logic does, because the material that proves identity is no longer protected.

Q: How can organisations reduce the blast radius of middleware identity flaws?

A: Organisations should separate administration, file access, and token authority as if they were different security zones. Review SAML endpoints, admin APIs, configuration stores, and secret backups together, because a single weakness in one layer can invalidate the others. The goal is to prevent low-privilege access from becoming a path to server-wide compromise.

Technical breakdown

SAML Web SSO cookie forgery and pre-auth deserialization

The most severe flaw described in the research affects WebSphere Liberty’s SAML Web SSO flow. Liberty stores a Java-serialized InitialRequest object in a client-side cookie and later deserializes it after checking a digest meant to include a server-only secret. Because the String.concat() call discards its return value, the secret is never included in the digest input. That breaks cookie integrity, allowing an attacker with network reach to forge a valid cookie and feed attacker-controlled serialized data into ObjectInputStream.readObject(). The result is pre-auth arbitrary deserialization, which can become remote code execution when a suitable classpath gadget is available.

Practical implication: Treat any pre-auth deserialization path as a server takeover path, not a normal application flaw.

AdminCenter role boundaries, file read exposure, and token forgery

AdminCenter is supposed to separate reader and administrator roles, but the research shows that boundary is not reliable. A reader-role user can retrieve sensitive server files, including ltpa.keys, and the interface can also expose configuration contents that contain plaintext credentials. That matters because LTPA keys are not just data files. They are signing material for authentication tokens. If an attacker can read the key file and recover the password protecting it, they can forge tokens and impersonate any user, including administrators. The issue is architectural: a read-only role becomes a route to authentication bypass when protected secrets are reachable through the same control plane.

Practical implication: Audit management-plane file access as if it were token authority, because secret disclosure can become identity impersonation.

Hardcoded secret protection fails in plaintext, XOR, and AES modes

The research also shows that WebSphere Liberty’s own secret-protection options are weak by design. Plaintext configuration is self-explanatory, but the default XOR mode uses a fixed single-character key and the AES mode relies on a hardcoded universal key. In both cases, the protection is reversible across installations, backups, and historical snapshots. That means credential exposure is not limited to live systems. Any configuration value encrypted with those defaults may remain recoverable long after it was created, which extends the exposure window backward into older environments and stored artifacts.

Practical implication: Assume default secret-protection modes are reversible and inventory all historical configuration copies.

Threat narrative

Attacker objective: The attacker’s objective is full control of the Liberty server, including authentication impersonation, arbitrary file write, and remote code execution.

1. Entry begins with network reach to a SAML-enabled WebSphere Liberty instance, or with authenticated reader access to AdminCenter.
2. Escalation follows when forged SAML cookies, exposed ltpa.keys material, or recoverable configuration secrets produce administrator-level identity or file access.
3. Impact occurs when administrator access is used to upload a crafted archive, escape the write directory, overwrite server files, and reach remote code execution.

Breaches seen in the wild

• 230M AWS environment compromise — 230M AWS environments compromised via exposed .env files with cloud credentials.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

The main failure here is not a missing patch, but the collapse of trust in the management plane. WebSphere Liberty’s security model assumes that reader-role access is limited, secret protection is reversible only to the server, and token material remains protected from low-privilege users. The research shows that each of those assumptions fails in different places. For practitioners, the lesson is that administrative control planes must be treated as identity infrastructure, not just application features.

Reader-only access is not a safe state when it can reveal signing keys or configuration secrets. A role model that appears constrained on paper becomes structurally unsafe if the same role can read files that drive authentication, session signing, or credential recovery. OWASP-NHI and NIST-CSF both point toward least privilege and access boundary enforcement, but this case shows that privilege scope must include the secrets behind the control plane, not just the visible UI actions. The implication is that read access and trust authority cannot be separated by convention alone.

Hardcoded secret protection creates reversible identity debt across the entire configuration lifecycle. Plaintext, fixed XOR keys, and universal AES keys all fail the same test: they do not protect historical assets once exposed. That means backups, snapshots, and version-controlled configs remain live attack material. For identity teams, the practical conclusion is that secret handling is not a point-in-time setting but a lifecycle problem that spans creation, storage, recovery, and retirement.

Token forgery and arbitrary file write are linked identity failures, not isolated technical bugs. The path from credential recovery to administrator impersonation to arbitrary write shows how identity compromise can cascade into system compromise. ZT-NIST-207 matters here because the server should never treat recovered trust material as equivalent to verified identity. Practitioners should read this as a control-plane blast-radius problem: once identity material is readable, the rest of the server becomes writable.

Identity security for Java middleware must account for both authentication flows and administrative surfaces. SAML, LTPA, admin APIs, and configuration utilities are all part of one identity system in practice. OWASP-NHI and NIST-CSF alignment should therefore extend beyond login controls to include file access, token integrity, and secret lifecycle controls. The practical conclusion is that middleware governance must cover the whole trust chain, not just the sign-in endpoint.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• That same survey found that only 44% of organisations have implemented any policies to manage their AI agents, even though 92% agree governance is critical to enterprise security.
• For a broader view of how identity assumptions fail across machine identities, see The 52 NHI breaches Report.

What this signals

Control-plane identity is now the real target surface. When reader roles can reach secrets, tokens, and configuration history, the boundary between administration and compromise disappears. Teams should watch for middleware products where the management interface also stores authentication material, because that is where a routine access review becomes a breach review.

Identity blast radius now includes historical artefacts. If a default password or hardcoded key once protected a credential, every backup and archive created under that regime inherits the same weakness. The security programme must therefore extend beyond live runtime inventory and include stored copies, because old configuration is still active attack surface.

Least privilege is only real when the secret path is closed too. A role that can read the wrong file can become an administrator without ever invoking an edit action. This is the same control failure pattern that appears in machine identity programmes when access scope and secret reach are not governed together.

For practitioners

• Audit management-plane file exposure Review every role that can read configuration, token material, or diagnostic output in WebSphere Liberty. Any role that can retrieve ltpa.keys, server.xml, or encrypted credentials should be treated as a potential escalation path, not a harmless viewer.
• Rotate secrets created with default encoding modes Find passwords protected with the default XOR or AES securityUtility modes and replace them. Treat backups, archived snapshots, and version-controlled configuration files as part of the same exposure set because the defaults make those values recoverable.
• Validate SAML-enabled deployments for pre-auth deserialization risk Prioritise any Liberty instance with SAML Web SSO enabled and verify whether the deployment still depends on a client-held serialized cookie. If it does, the trust boundary is already thin enough that a forged cookie can become execution.
• Reassess reader-role design as privileged access Remove the assumption that a low-privilege admin-console role is non-sensitive. If a role can read files, configuration, or signing material, it belongs in the same review queue as administrative access.

Key takeaways

• WebSphere Liberty’s flaws show how a management plane can become a full identity compromise path when token material, configuration secrets, and role boundaries all fail together.
• Reader-role access is not benign if it can expose signing keys, recover passwords, or unlock admin functions, because read-only visibility can still produce full impersonation.
• The practical response is to treat middleware secrets, historical configuration copies, and administrative interfaces as one governed identity surface, not as separate technical domains.

Key terms

• Control Plane Identity: The identities, secrets, and permissions used to administer infrastructure rather than to run business transactions. In practice, a control plane identity can include reader roles, signing keys, configuration access, and management APIs. When these are exposed, compromise often spreads faster than in ordinary application paths.
• Token Forgery: Token forgery is the creation of a valid-looking authentication token without legitimate authorization from the identity provider. It usually depends on exposing signing keys, encryption secrets, or recovery material. In identity programmes, forgery matters because it bypasses login controls and turns stolen secrets into direct impersonation.
• Secret Reversibility: Secret reversibility means a credential or protected value can be recovered from its stored form with little or no real resistance. That can happen through hardcoded keys, fixed passwords, or weak encoding. For identity governance, reversible secrets are not protected secrets, even if they appear encrypted in a file.
• Management-Plane Blast Radius: Management-plane blast radius is the extent of damage an attacker can cause after reaching administrative or semi-administrative controls. It often includes configuration changes, token issuance, file access, and code execution. The broader the blast radius, the less meaningful ordinary role separation becomes unless the underlying identity material is protected.

Deepen your knowledge

Middleware identity governance and secret lifecycle risk are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are reviewing control-plane exposure in Java infrastructure, it is worth exploring.

This post draws on content published by Oligo Security: Broken by Default, New Vulnerabilities in IBM WebSphere Liberty Can Lead to Full Server Compromise. Read the original.