What is the CVSS score of CVE-2025-47889?

CVE-2025-47889 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Wso2 Oauth are affected by CVE-2025-47889?

CVE-2025-47889 presents critical security risk, a improper authentication vulnerability rated CVSS 9.8.

How to fix or mitigate CVE-2025-47889?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Audit authentication configurations and rotate any potentially compromised credentials.

Wso2 Oauth CVE-2025-47889

CRITICAL

Improper Authentication (CWE-287)

2025-05-14 jenkinsci-cert@googlegroups.com

Authentication Bypass Jenkins Wso2 Oauth

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:41 vuln.today

CVE Published

May 14, 2025 - 21:15 nvd

CRITICAL 9.8

DescriptionNVD

In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.

AnalysisAI

In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist. Affected products include: Jenkins Wso2 Oauth.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.

More from same product – last 7 days

CVE-2026-48920 HIGH This Week

8.8 May 27

Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets

CVE-2026-48921 HIGH This Week

7.5 May 27

Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 79

CVE-2026-48922 HIGH This Week

7.5 May 27

Arbitrary file write in the Jenkins Credentials Binding Plugin (version 720.v3f6decef43ea_ and earlier) lets users who c

CVE-2026-48916 MEDIUM This Month

6.6 May 27

Unconstrained LDAP referral following in Jenkins LDAP Plugin (≤ 807.v7d7de30930cf) enables Server-Side Request Forgery,

CVE-2026-48917 MEDIUM This Month

6.6 May 27

Jenkins LDAP Plugin versions up to and including 807.v7d7de30930cf deserializes Java objects returned via LDAP referral

CVE-2025-47889 vulnerability details – vuln.today

Back

Wso2 Oauth CVE-2025-47889

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code