EUVD-2025-209759
GHSA-xh36-jjpq-3cmr
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionNVD
The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions.
A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.
AnalysisAI
Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to invoke Gateway and Internal Service APIs without proper permission enforcement, enabling unauthorized operations on sensitive REST API endpoints. The vulnerability affects multiple WSO2 products including API Control Plane, Universal Gateway, and Traffic Manager. CVSS 6.3 (network-accessible, low complexity, requires valid user credentials) indicates moderate severity with clear lateral privilege escalation potential in multi-tenant environments.
Technical ContextAI
WSO2 API Manager implements role-based access control (RBAC) through role assignments that determine which users can invoke protected Gateway APIs and Internal Service APIs. The vulnerability stems from improper authorization checks in the API invocation handler, likely in the carbon-api-management-implementation or carbon-api-manager-rest-api-utility components. CWE-281 (Improper Authorization) indicates the application fails to verify that the authenticated user's assigned roles match the required permissions before granting access to sensitive API operations. The 'Internal/Everyone' role-typically a catch-all or default role meant for limited operations-is incorrectly granted access to privileged Gateway REST APIs and internal service endpoints that should require elevated permissions. This affects the API Control Plane, Universal Gateway, and Traffic Manager components that share the same authorization framework.
RemediationAI
Apply the patch released by WSO2 as described in security advisory WSO2-2025-4401; consult the advisory link for exact fixed version numbers. If immediate patching is not possible, implement compensating controls: restrict the 'Internal/Everyone' role assignment to only essential user accounts that genuinely require internal API access, and audit current role assignments to identify users with unnecessary elevated role grants. Additionally, implement network-level access controls to restrict Gateway API and Internal Service API endpoints to trusted internal networks only, reducing exposure to authenticated users without direct legitimate access. Monitor and log all Gateway API and Internal Service API invocations, paying special attention to requests from users with the 'Internal/Everyone' role; configure alerts for anomalous API operations. These controls do not eliminate the vulnerability but reduce exploitability window and detectability. Patch deployment is the definitive remediation; workarounds carry operational risk of legitimate access denial if overly restrictive.
Share
External POC / Exploit Code
Leaving vuln.today