CVE-2025-9804
9.6
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.
This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WSO2 | WSO2 Identity Server as Key Manager | 0 < 5.3.0 | unknown |
| WSO2 | WSO2 Identity Server as Key Manager | 5.3.0 < 5.3.0.41 | affected |
| WSO2 | WSO2 Identity Server as Key Manager | 5.5.0 < 5.5.0.53 | affected |
| WSO2 | WSO2 Identity Server as Key Manager | 5.6.0 < 5.6.0.75 | affected |
| WSO2 | WSO2 Identity Server as Key Manager | 5.7.0 < 5.7.0.125 | affected |
| WSO2 | WSO2 Identity Server as Key Manager | 5.9.0 < 5.9.0.176 | affected |
| WSO2 | WSO2 Identity Server as Key Manager | 5.10.0 < 5.10.0.359 | affected |
| WSO2 | WSO2 Identity Server | 0 < 5.2.0 | unknown |
| WSO2 | WSO2 Identity Server | 5.2.0 < 5.2.0.34 | affected |
| WSO2 | WSO2 Identity Server | 5.3.0 < 5.3.0.36 | affected |
| WSO2 | WSO2 Identity Server | 5.4.0 < 5.4.0.34 | affected |
| WSO2 | WSO2 Identity Server | 5.4.1 < 5.4.1.38 | affected |
| WSO2 | WSO2 Identity Server | 5.5.0 < 5.5.0.52 | affected |
| WSO2 | WSO2 Identity Server | 5.6.0 < 5.6.0.60 | affected |
| WSO2 | WSO2 Identity Server | 5.7.0 < 5.7.0.126 | affected |
| WSO2 | WSO2 Identity Server | 5.8.0 < 5.8.0.110 | affected |
| WSO2 | WSO2 Identity Server | 5.9.0 < 5.9.0.169 | affected |
| WSO2 | WSO2 Identity Server | 5.10.0 < 5.10.0.369 | affected |
| WSO2 | WSO2 Identity Server | 5.11.0 < 5.11.0.413 | affected |
| WSO2 | WSO2 Identity Server | 6.0.0 < 6.0.0.244 | affected |
| WSO2 | WSO2 Identity Server | 6.1.0 < 6.1.0.243 | affected |
| WSO2 | WSO2 Identity Server | 7.0.0 < 7.0.0.118 | affected |
| WSO2 | WSO2 Identity Server | 7.1.0 < 7.1.0.25 | affected |
| WSO2 | WSO2 Open Banking KM | 0 < 1.4.0 | unknown |
| WSO2 | WSO2 Open Banking KM | 1.4.0 < 1.4.0.133 | affected |
| WSO2 | WSO2 Open Banking KM | 1.5.0 < 1.5.0.123 | affected |
| WSO2 | WSO2 Open Banking IAM | 0 < 2.0.0 | unknown |
| WSO2 | WSO2 Open Banking IAM | 2.0.0 < 2.0.0.409 | affected |
| WSO2 | WSO2 Open Banking AM | 0 < 1.4.0 | unknown |
| WSO2 | WSO2 Open Banking AM | 1.4.0 < 1.4.0.139 | affected |
| WSO2 | WSO2 Open Banking AM | 1.5.0 < 1.5.0.140 | affected |
| WSO2 | WSO2 Open Banking AM | 2.0.0 < 2.0.0.389 | affected |
| WSO2 | WSO2 API Manager | 0 < 2.0.0 | unknown |
| WSO2 | WSO2 API Manager | 2.0.0 < 2.0.0.31 | affected |
| WSO2 | WSO2 API Manager | 2.1.0 < 2.1.0.40 | affected |
| WSO2 | WSO2 API Manager | 2.2.0 < 2.2.0.59 | affected |
| WSO2 | WSO2 API Manager | 2.5.0 < 2.5.0.85 | affected |
| WSO2 | WSO2 API Manager | 2.6.0 < 2.6.0.146 | affected |
| WSO2 | WSO2 API Manager | 3.0.0 < 3.0.0.176 | affected |
| WSO2 | WSO2 API Manager | 3.1.0 < 3.1.0.340 | affected |
| WSO2 | WSO2 API Manager | 3.2.0 < 3.2.0.441 | affected |
| WSO2 | WSO2 API Manager | 3.2.1 < 3.2.1.61 | affected |
| WSO2 | WSO2 API Manager | 4.0.0 < 4.0.0.361 | affected |
| WSO2 | WSO2 API Manager | 4.1.0 < 4.1.0.224 | affected |
| WSO2 | WSO2 API Manager | 4.2.0 < 4.2.0.162 | affected |
| WSO2 | WSO2 API Manager | 4.3.0 < 4.3.0.75 | affected |
| WSO2 | WSO2 API Manager | 4.4.0 < 4.4.0.39 | affected |
| WSO2 | WSO2 API Manager | 4.5.0 < 4.5.0.23 | affected |
| WSO2 | WSO2 Identity Server Analytics | 0 < 5.2.0 | unknown |
| WSO2 | WSO2 Identity Server Analytics | 5.2.0 < 5.2.0.19 | affected |
| WSO2 | WSO2 Identity Server Analytics | 5.3.0 < 5.3.0.17 | affected |
| WSO2 | WSO2 Identity Server Analytics | 5.5.0 < 5.5.0.31 | affected |
| WSO2 | WSO2 Identity Server Analytics | 5.6.0 < 5.6.0.38 | affected |
| WSO2 | API Manager Analytics | 0 < 2.0.0 | unknown |
| WSO2 | API Manager Analytics | 2.0.0 < 2.0.0.14 | affected |
| WSO2 | API Manager Analytics | 2.1.0 < 2.1.0.19 | affected |
| WSO2 | API Manager Analytics | 2.2.0 < 2.2.0.30 | affected |
| WSO2 | API Manager Analytics | 2.5.0 < 2.5.0.39 | affected |
| WSO2 | WSO2 Enterprise Integrator | 0 < 6.2.0 | unknown |
| WSO2 | WSO2 Enterprise Integrator | 6.2.0 < 6.2.0.62 | affected |
| WSO2 | WSO2 Enterprise Integrator | 6.3.0 < 6.3.0.70 | affected |
| WSO2 | WSO2 Enterprise Service Bus Analytics | 0 < 5.0.0 | unknown |
| WSO2 | WSO2 Enterprise Service Bus Analytics | 5.0.0 < 5.0.0.13 | affected |
| WSO2 | WSO2 Data Analytics Server | 0 < 3.1.0 | unknown |
| WSO2 | WSO2 Data Analytics Server | 3.1.0 < 3.1.0.20 | affected |
| WSO2 | WSO2 Data Analytics Server | 3.2.0 < 3.2.0.33 | affected |
| WSO2 | WSO2 Enterprise Mobility Manager | 0 < 2.2.0 | unknown |
| WSO2 | WSO2 Enterprise Mobility Manager | 2.2.0 < 2.2.0.28 | affected |
| WSO2 | WSO2 Universal Gateway | 4.5.0 < 4.5.0.22 | affected |
| WSO2 | WSO2 API Control Plane | 4.5.0 < 4.5.0.24 | affected |
| WSO2 | WSO2 Traffic Manager | 4.5.0 < 4.5.0.22 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 2.0.10 < 2.0.10.1 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 2.0.15 < 2.0.15.1 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 2.0.21 < 2.0.21.1 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 2.0.22 < 2.0.22.1 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 2.1.12 < 2.1.12.1 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 2.1 < 2.1.1972 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 2.2 < 2.2.24 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 2.2 < 2.2.25 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 3.1.0 < 3.1.0.74 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 3.3.6 < 3.3.6.7 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 3.3.26 < 3.3.26.2 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 3.3.35 < 3.3.35.1 | affected |
| WSO2 | org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector | 3.3.41 <= * | unaffected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util | 6.7.206 < 6.7.206.567 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util | 6.7.210 < 6.7.210.63 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util | 9.0.174 < 9.0.174.522 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util | 9.20.74 < 9.20.74.379 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util | 9.28.116 < 9.28.116.360 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util | 9.29.120 < 9.29.120.184 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util | 9.30.67 < 9.30.67.109 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util | 9.31.86 < 9.31.86.71 | affected |
| WSO2 | org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util | 9.32.133 <= * | unaffected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.4.7 < 4.4.7.6 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.4.9 < 4.4.9.11 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.4.11 < 4.4.11.9 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.4.26 < 4.4.26.12 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.4.35 < 4.4.35.44 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.5.1 < 4.5.1.43 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.6.0 < 4.6.0.1990 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.6.1 < 4.6.1.149 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.6.2 < 4.6.2.667 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.6.3 < 4.6.3.36 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.6.4 < 4.6.4.14 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.7.1 < 4.7.1.68 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.8.1 < 4.8.1.39 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.9.0 < 4.9.0.99 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.9.26 < 4.9.26.25 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.9.27 < 4.9.27.10 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.9.28 < 4.9.28.11 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.10.9 < 4.10.9.66 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.10.42 < 4.10.42.9 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.9 < 4.9.29 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.base | 4.10 < 4.10.94 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.2.0 < 5.2.0.4 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.2.2 < 5.2.2.21 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.7.5 < 5.7.5.18 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.11.148 < 5.11.148.19 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.11.256 < 5.11.256.21 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.12.153 < 5.12.153.63 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.12.387 < 5.12.387.46 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.14.97 < 5.14.97.89 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.17.5 < 5.17.5.317 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.17.118 < 5.17.118.17 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.18.187 < 5.18.187.309 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.18.248 < 5.18.248.30 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.23.8 < 5.23.8.207 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.24.8 < 5.24.8.23 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.25.92 < 5.25.92.152 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.25.705 < 5.25.705.19 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.25.713 < 5.25.713.9 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.25.724 < 5.25.724.3 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 7.0.78 < 7.0.78.133 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 7.8.23 < 7.8.23.47 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 5.25 < 5.25.734 | affected |
| WSO2 | org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt | 7.8.489 <= * | unaffected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.4.7 < 4.4.7.6 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.4.9 < 4.4.9.11 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.4.11 < 4.4.11.9 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.4.26 < 4.4.26.12 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.4.32 < 4.4.32.16 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.4.35 < 4.4.35.44 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.5.1 < 4.5.1.43 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.6.0 < 4.6.0.1990 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.6.1 < 4.6.1.149 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.6.2 < 4.6.2.667 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.6.3 < 4.6.3.36 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.6.4 < 4.6.4.14 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.7.1 < 4.7.1.68 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.8.1 < 4.8.1.39 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.9.0 < 4.9.0.99 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.9.26 < 4.9.26.25 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.9.27 < 4.9.27.10 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.9.28 < 4.9.28.11 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.10.9 < 4.10.9.66 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.10.42 < 4.10.42.9 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.9 < 4.9.29 | affected |
| WSO2 | org.wso2.carbon:org.wso2.carbon.server.admin | 4.10 < 4.10.94 | affected |
| WSO2 | org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow | 5.1.1 < 5.1.1.1 | affected |
| WSO2 | org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow | 5.1.2 < 5.1.2.1 | affected |
| WSO2 | org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow | 5.1.5 < 5.1.5.1 | affected |
| WSO2 | org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow | 5.3.3 < 5.3.3.1 | affected |
| WSO2 | org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow | 5.4.0 < 5.4.0.4 | affected |
| WSO2 | org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow | 5.4.1 < 5.4.1.5 | affected |
| WSO2 | org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow | 5.6.0 < 5.6.0.1 | affected |
| WSO2 | org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow | 5.6.21 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.