How to fix CVE-2024-1524?

Within 24 hours: Audit and document all federated identity providers with Silent Just-In-Time Provisioning enabled, and identify overlapping usernames between federated and local user stores. Within 7 days: Disable Silent Just-In-Time Provisioning across all affected systems or implement strict username conflict policies that prevent federated provisioning when local accounts exist. Within 30 days: Implement a comprehensive identity reconciliation strategy, enforce unique username standards across federated and local directories, and establish monitoring for suspicious account provisioning events.

Is Api Manager affected by CVE-2024-1524?

This vulnerability threatens organizations using federated identity management, where attackers could hijack local user accounts by exploiting the Silent Just-In-Time Provisioning feature.

CVE-2024-1524

HIGH

2026-02-24 ed10eef1-636d-4fbe-9993-6890dfa878f8

7.7

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 24, 2026 - 09:16 nvd

HIGH 7.7

Description

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control. The Deployment should have: -An IDP configured for federated authentication with Silent JIT provisioning enabled. The malicious actor should have: -A fresh valid user account in the federated IDP that has not been used earlier. -Knowledge of the username of a valid user in the local IDP. -An account at the federated IDP matching the targeted local username.

Analysis

Technical Context

Classified as CWE-290 (Authentication Bypass by Spoofing). Affects Api Manager. When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users.

There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted

Affected Products

Vendor: Wso2. Product: Api Manager.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2024-1524 vulnerability details – vuln.today

Back

CVE-2024-1524

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-1524

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code