WSO2 Products Mutual TLS Authentication Vulnerability in System REST APIs and SOAP Services

A vulnerability allowing missing authentication enforcement has been identified in the mutual TLS (mTLS) implementation of several WSO2 products. This issue arises in the System REST APIs and SOAP services due to improper validation of client certificate-based authentication in certain default configurations. As a result, these components may accept unauthenticated requests even when mTLS is enabled. This vulnerability occurs when the default mTLS settings for System REST APIs are used or when the mTLS authenticator is activated for SOAP services, leading these interfaces to allow requests without additional authentication. Exploitation of this vulnerability enables a malicious actor with network access to the affected endpoints to obtain administrative privileges and execute unauthorized actions. The issue is only exploitable when the impacted mTLS flows are enabled and accessible in the deployment. Other certificate-based authentication methods, such as Mutual TLS OAuth client authentication and X.509 login flows, are not affected. Additionally, APIs served through the WSO2 API Manager's API Gateway are not impacted.

Impact

Successful exploitation grants administrative privileges, allowing unauthorized operations to be performed on the affected system.