WSO2 API Manager
Moderate fix13 remedies
cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*
Moderate fix13 remedies
- 4.3.0
- 4.2.0
- 4.1.0
- 4.0.0
- 3.2.1
- 3.2.0
- 3.1.0
- 3.0.0
- 2.6.0
- 2.5.0
- 2.2.0
- 2.1.0
- 2.0.0
WSO2 Privilege Escalation Vulnerability in SOAP Admin Services
Vulnerability
Patched
A privilege escalation vulnerability has been identified in multiple WSO2 products, including WSO2 API Manager, WSO2 Identity Server, and WSO2 Open Banking solutions. This vulnerability arises from a business logic flaw in the SOAP admin services, allowing a malicious actor to create a new user with elevated permissions under certain conditions. Specifically, the SOAP admin services must be accessible to the attacker, the deployment must include a non-default internal attribute, at least one custom role with non-default permissions must exist, and the attacker must be aware of the custom role and the internal attribute used in the deployment. Exploitation of this vulnerability enables attackers to assign higher privileges to self-registered users, circumventing established access control mechanisms.
Impact
Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling self-registered users to gain elevated permissions.
Remediation
WSO2 users are advised to update to the latest version of the affected product. Commercial users with a support subscription should use the WSO2 Updates service to apply the fix.
Added: Sep 1, 2025, 7:22 PM
Updated: Sep 1, 2025, 7:22 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
5.0exploitability
5.4remediation
7.7relevance
0.0threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.