WSO2 Federated Identity Provider Account Provisioning Vulnerability Allowing User Information Replacement

Vulnerability

A vulnerability exists in WSO2 when the 'Silent Just-In-Time Provisioning' feature is enabled for a federated identity provider. This vulnerability allows for the risk of overwriting local user store information during the account provisioning process, particularly when federated users have the same username as local users. The issue arises only if an identity provider is configured for federated authentication with Silent JIT provisioning enabled, and a malicious actor has a valid user account in the federated identity provider that has not been used previously, along with knowledge of a valid username in the local identity provider.

Impact

Exploitation of this vulnerability could lead to unauthorized replacement of local user information with that of a federated identity provider user, potentially allowing for misuse of the local account.

Added: Feb 24, 2026, 9:18 AM

Updated: Feb 24, 2026, 2:19 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

3.1

exploitability

5.0

remediation

8.3

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

3.1

exploitability

5.0

remediation

8.3

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WSO2 Federated Identity Provider Account Provisioning Vulnerability Allowing User Information Replacement

Vulnerability

Impact

Affected Products

WSO2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating