The morning opened on three independent CVSS-10 remote-code-execution bugs — a path-traversal-to-hook-overwrite in the Gogs Git server (CVE-2026-52813), anonymous NoSQL operator injection in published Budibase apps (CVE-2026-54350), and a default-unauthenticated LFI-to-RCE chain in internet-exposed motionEye camera boxes. Any one of them would headline a normal day.
By the First Watch the throughline had moved to identity. OpenAM ≤16.0.6 took a third advisory cluster in a single day: morning session-token theft via CDCServlet, then an afternoon pair that reads as one chain — an anonymous Liberty SOAP endpoint writes attacker-controlled data into any user's profile under the internal admin token (CVE-2026-45052), feeding a WebAuthn module that deserializes that same storage attribute into pre-auth code execution (CVE-2026-45051). It is the same Open Identity Platform stack that anchored yesterday's watch, so the auth tier under every federated relying party is the day's soft underbelly two days running. A quieter second motif ran through the GHSA batch — incomplete fixes that never moved the sink, in AVideo, OctoPrint, phpMyFAQ, and a jackson-databind PolymorphicTypeValidator bypass. The bright spot is that the entire OpenAM cluster collapses to a single 16.1.1 upgrade.
→ Operational priority for the night upgrade OpenAM to 16.1.1 — one bump closes the session-hijack, profile-write, and WebAuthn-RCE issues together — and confirm no user-writable LDAP attribute backs the WebAuthn storage field before trusting the patch; behind that, upgrade Gogs and pull motionEye and public Budibase apps off the internet.