WSO2 Products Access Control Vulnerability Allowing Unauthorized Administrative Operations
Vulnerability
A vulnerability exists in multiple WSO2 products, including WSO2 API Manager, WSO2 Identity Server, WSO2 Open Banking, WSO2 Traffic Manager, and WSO2 Universal Gateway, all in various versions. The issue stems from inadequate access control in certain REST APIs, which allows authentication and authorization checks to be bypassed. This flaw enables unauthorized users to invoke these APIs and potentially gain administrative access, leading to unauthorized and unauthenticated administrative actions.
Impact
Exploitation of this vulnerability could result in unauthorized administrative access, allowing malicious actors to perform administrative tasks without proper validation.
Remediation
Users of WSO2 products can apply the relevant fixes available on GitHub or update to the latest unaffected version. WSO2 Support Subscription Holders can use WSO2 Updates to apply the fix. For specific guidance, consult the WSO2 Support Portal or the WSO2-2025-4585 instructions for IAM products.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.