CVE-2025-9804

CRITICAL9.6

Description

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

CVSS breakdown

CVSS 3.1

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected products

WSO2 / API Manager Analytics2.0.0 – 2.0.0.14
WSO2 / API Manager Analytics2.5.0 – 2.5.0.39
WSO2 / API Manager Analytics0 – 2.0.0
WSO2 / API Manager Analytics2.2.0 – 2.2.0.30
WSO2 / API Manager Analytics2.1.0 – 2.1.0.19
WSO2 / org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.31.86 – 9.31.86.71
WSO2 / org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.30.67 – 9.30.67.109
WSO2 / org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.29.120 – 9.29.120.184
WSO2 / org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.28.116 – 9.28.116.360
WSO2 / org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.20.74 – 9.20.74.379
WSO2 / org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.0.174 – 9.0.174.522
WSO2 / org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util6.7.210 – 6.7.210.63
WSO2 / org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util6.7.206 – 6.7.206.567
WSO2 / org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.util9.32.133 – *
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector3.3.35 – 3.3.35.1
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector3.3.26 – 3.3.26.2
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector3.3.6 – 3.3.6.7
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector3.1.0 – 3.1.0.74
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.2 – 2.2.25
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.2 – 2.2.24
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.1 – 2.1.1972
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.1.12 – 2.1.12.1
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.0.15 – 2.0.15.1
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.0.21 – 2.0.21.1
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.0.22 – 2.0.22.1
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector2.0.10 – 2.0.10.1
WSO2 / org.wso2.carbon.extension.identity.authenticator.outbound.totp:org.wso2.carbon.extension.identity.authenticator.totp.connector3.3.41 – *
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.7.5 – 5.7.5.18
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt7.8.489 – *
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.25 – 5.25.734
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt7.8.23 – 7.8.23.47
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt7.0.78 – 7.0.78.133
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.25.724 – 5.25.724.3
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.25.713 – 5.25.713.9
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.25.705 – 5.25.705.19
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.25.92 – 5.25.92.152
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.24.8 – 5.24.8.23
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.23.8 – 5.23.8.207
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.18.248 – 5.18.248.30
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.18.187 – 5.18.187.309
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.17.118 – 5.17.118.17
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.17.5 – 5.17.5.317
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.14.97 – 5.14.97.89
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.12.387 – 5.12.387.46
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.12.153 – 5.12.153.63
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.11.256 – 5.11.256.21
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.11.148 – 5.11.148.19
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.2.2 – 5.2.2.21
WSO2 / org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.mgt5.2.0 – 5.2.0.4
WSO2 / org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.1.1 – 5.1.1.1
WSO2 / org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.1.2 – 5.1.2.1
WSO2 / org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.1.5 – 5.1.5.1
WSO2 / org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.3.3 – 5.3.3.1
WSO2 / org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.4.0 – 5.4.0.4
WSO2 / org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.4.1 – 5.4.1.5
WSO2 / org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.6.0 – 5.6.0.1
WSO2 / org.wso2.carbon.identity.workflow.user:org.wso2.carbon.user.mgt.workflow5.6.21 – *
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.6.4 – 4.6.4.14
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.4.7 – 4.4.7.6
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.4.9 – 4.4.9.11
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.4.11 – 4.4.11.9
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.4.26 – 4.4.26.12
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.4.35 – 4.4.35.44
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.5.1 – 4.5.1.43
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.6.0 – 4.6.0.1990
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.6.1 – 4.6.1.149
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.6.2 – 4.6.2.667
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.6.3 – 4.6.3.36
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.7.1 – 4.7.1.68
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.8.1 – 4.8.1.39
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.9.0 – 4.9.0.99
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.9.26 – 4.9.26.25
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.9.27 – 4.9.27.10
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.9.28 – 4.9.28.11
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.10.9 – 4.10.9.66
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.10.42 – 4.10.42.9
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.9 – 4.9.29
WSO2 / org.wso2.carbon:org.wso2.carbon.base4.10 – 4.10.94
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.9.28 – 4.9.28.11
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.10.42 – 4.10.42.9
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.6.2 – 4.6.2.667
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.9 – 4.9.29
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.10 – 4.10.94
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.6.1 – 4.6.1.149
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.6.0 – 4.6.0.1990
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.5.1 – 4.5.1.43
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.4.35 – 4.4.35.44
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.4.32 – 4.4.32.16
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.4.26 – 4.4.26.12
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.4.11 – 4.4.11.9
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.4.9 – 4.4.9.11
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.4.7 – 4.4.7.6
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.10.9 – 4.10.9.66
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.6.3 – 4.6.3.36
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.6.4 – 4.6.4.14
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.7.1 – 4.7.1.68
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.8.1 – 4.8.1.39
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.9.0 – 4.9.0.99
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.9.26 – 4.9.26.25
WSO2 / org.wso2.carbon:org.wso2.carbon.server.admin4.9.27 – 4.9.27.10
WSO2 / WSO2 API Control Plane4.5.0 – 4.5.0.24
WSO2 / WSO2 API Manager2.1.0 – 2.1.0.40
WSO2 / WSO2 API Manager4.2.0 – 4.2.0.162
WSO2 / WSO2 API Manager4.1.0 – 4.1.0.224
WSO2 / WSO2 API Manager4.0.0 – 4.0.0.361
WSO2 / WSO2 API Manager3.2.1 – 3.2.1.61
WSO2 / WSO2 API Manager3.2.0 – 3.2.0.441
WSO2 / WSO2 API Manager3.1.0 – 3.1.0.340
WSO2 / WSO2 API Manager3.0.0 – 3.0.0.176
WSO2 / WSO2 API Manager2.6.0 – 2.6.0.146
WSO2 / WSO2 API Manager2.5.0 – 2.5.0.85
WSO2 / WSO2 API Manager2.2.0 – 2.2.0.59
WSO2 / WSO2 API Manager4.3.0 – 4.3.0.75
WSO2 / WSO2 API Manager2.0.0 – 2.0.0.31
WSO2 / WSO2 API Manager0 – 2.0.0
WSO2 / WSO2 API Manager4.5.0 – 4.5.0.23
WSO2 / WSO2 API Manager4.4.0 – 4.4.0.39
WSO2 / WSO2 Data Analytics Server3.2.0 – 3.2.0.33
WSO2 / WSO2 Data Analytics Server0 – 3.1.0
WSO2 / WSO2 Data Analytics Server3.1.0 – 3.1.0.20
WSO2 / WSO2 Enterprise Integrator6.2.0 – 6.2.0.62
WSO2 / WSO2 Enterprise Integrator6.3.0 – 6.3.0.70
WSO2 / WSO2 Enterprise Integrator0 – 6.2.0
WSO2 / WSO2 Enterprise Mobility Manager2.2.0 – 2.2.0.28
WSO2 / WSO2 Enterprise Mobility Manager0 – 2.2.0
WSO2 / WSO2 Enterprise Service Bus Analytics0 – 5.0.0
WSO2 / WSO2 Enterprise Service Bus Analytics5.0.0 – 5.0.0.13
WSO2 / WSO2 Identity Server5.5.0 – 5.5.0.52
WSO2 / WSO2 Identity Server5.4.1 – 5.4.1.38
WSO2 / WSO2 Identity Server5.4.0 – 5.4.0.34
WSO2 / WSO2 Identity Server5.3.0 – 5.3.0.36
WSO2 / WSO2 Identity Server5.8.0 – 5.8.0.110
WSO2 / WSO2 Identity Server7.1.0 – 7.1.0.25
WSO2 / WSO2 Identity Server7.0.0 – 7.0.0.118
WSO2 / WSO2 Identity Server6.1.0 – 6.1.0.243
WSO2 / WSO2 Identity Server6.0.0 – 6.0.0.244
WSO2 / WSO2 Identity Server5.11.0 – 5.11.0.413
WSO2 / WSO2 Identity Server5.10.0 – 5.10.0.369
WSO2 / WSO2 Identity Server5.9.0 – 5.9.0.169
WSO2 / WSO2 Identity Server5.7.0 – 5.7.0.126
WSO2 / WSO2 Identity Server5.6.0 – 5.6.0.60
WSO2 / WSO2 Identity Server0 – 5.2.0
WSO2 / WSO2 Identity Server5.2.0 – 5.2.0.34
WSO2 / WSO2 Identity Server Analytics5.3.0 – 5.3.0.17
WSO2 / WSO2 Identity Server Analytics5.5.0 – 5.5.0.31
WSO2 / WSO2 Identity Server Analytics5.6.0 – 5.6.0.38
WSO2 / WSO2 Identity Server Analytics0 – 5.2.0
WSO2 / WSO2 Identity Server Analytics5.2.0 – 5.2.0.19
WSO2 / WSO2 Identity Server as Key Manager5.5.0 – 5.5.0.53
WSO2 / WSO2 Identity Server as Key Manager5.3.0 – 5.3.0.41
WSO2 / WSO2 Identity Server as Key Manager0 – 5.3.0
WSO2 / WSO2 Identity Server as Key Manager5.10.0 – 5.10.0.359
WSO2 / WSO2 Identity Server as Key Manager5.7.0 – 5.7.0.125
WSO2 / WSO2 Identity Server as Key Manager5.9.0 – 5.9.0.176
WSO2 / WSO2 Identity Server as Key Manager5.6.0 – 5.6.0.75
WSO2 / WSO2 Open Banking AM1.4.0 – 1.4.0.139
WSO2 / WSO2 Open Banking AM0 – 1.4.0
WSO2 / WSO2 Open Banking AM1.5.0 – 1.5.0.140
WSO2 / WSO2 Open Banking AM2.0.0 – 2.0.0.389
WSO2 / WSO2 Open Banking IAM0 – 2.0.0
WSO2 / WSO2 Open Banking IAM2.0.0 – 2.0.0.409
WSO2 / WSO2 Open Banking KM1.5.0 – 1.5.0.123
WSO2 / WSO2 Open Banking KM1.4.0 – 1.4.0.133
WSO2 / WSO2 Open Banking KM0 – 1.4.0
WSO2 / WSO2 Traffic Manager4.5.0 – 4.5.0.22
WSO2 / WSO2 Universal Gateway4.5.0 – 4.5.0.22

References

VENDOR_ADVISORYhttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/