Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.
The vulnerability consists of insufficient access control implementation (CWE-863 – improper authorization) in the REST API request handling layer. An attacker can invoke protected API endpoints without providing valid authentication credentials or possessing required permissions. Requests directed to these APIs do not undergo proper identity validation and permission level checks, resulting in full access to administrative operations.
An attacker without any privileges can gain administrative access to the system and perform unauthorized management operations, including potentially modifying configuration, managing users, and controlling critical identity platform and open banking functions.
Security patches available from the vendor must be applied according to the references — detailed information about patched versions is contained in the official WSO2 security bulletin at: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/
WSO2 Open Banking AM, WSO2 Open Banking KM, WSO2 Traffic Manager, WSO2 Open Banking IAM, WSO2 Identity Server — versions specified in vendor references (advisory WSO2-2025-4585)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWso2 Api Control Plane
APPWso24.5.0Wso2 Api Manager
APPWso22.1.02.2.02.5.02.6.03.0.03.1.03.2.03.2.14.0.04.1.04.2.04.3.04.4.04.5.0Wso2 Identity Server
APPWso25.10.05.11.05.3.05.5.05.6.05.7.05.8.05.9.06.0.06.1.07.0.07.1.0Wso2 Identity Server As Key Manager
APPWso25.10.05.3.05.5.05.6.05.7.05.9.0Wso2 Open Banking Am
APPWso21.4.01.5.02.0.0Wso2 Open Banking Iam
APPWso22.0.0Wso2 Open Banking Km
APPWso21.4.01.5.0Wso2 Traffic Manager
APPWso24.5.0Wso2 Universal Gateway
APPWso24.5.0
Related vulnerabilities
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must u...
WSO2 API Manager – RCE przez upload pliku z uprawnieniami administratora
Brak wymuszania uwierzytelniania mTLS w produktach WSO2 — nieautoryzowany dostęp administracyjny
WSO2 API Manager — brak uwierzytelniania w endpoincie DCR umożliwia eskalację uprawnień
Nieprawidłowa kontrola dostępu w wewnętrznych API WSO2 (SOAP/REST)