CVE-2026-4249

Summary

The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service condition.

Successful exploitation of this vulnerability can disrupt the API Gateway, preventing legitimate API traffic from being processed and impacting complete service availability. The denial of service is persistent, requiring manual intervention to restore normal operations.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.54affected
WSO2WSO2 Universal Gateway4.6.0 < 4.6.0.18affected
WSO2WSO2 Universal Gateway4.7.0 < 4.7.0.2affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.53affected
WSO2WSO2 Traffic Manager4.6.0 < 4.6.0.18affected
WSO2WSO2 Traffic Manager4.7.0 < 4.7.0.2affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.55affected
WSO2WSO2 API Control Plane4.6.0 < 4.6.0.19affected
WSO2WSO2 API Control Plane4.7.0 < 4.7.0.2affected
WSO2WSO2 API Manager0 < 3.2.0unknown
WSO2WSO2 API Manager3.2.0 < 3.2.0.470affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.89affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.390affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.254affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.194affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.105affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.69affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.54affected
WSO2WSO2 API Manager4.6.0 < 4.6.0.18affected
WSO2WSO2 API Manager4.7.0 < 4.7.0.2affected

Weaknesses

  • CWE-707: CWE-707: Use of Out-of-Scope Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References