Skip to main content

WSO2 Identity Server CVE-2025-9973

| EUVDEUVD-2025-209762 MEDIUM
Improper Access Control (CWE-284)
2026-05-11 WSO2 GHSA-xm8v-8xxf-7x94
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
May 11, 2026 - 12:01 EUVD
Analysis Generated
May 11, 2026 - 11:45 vuln.today
CVE Published
May 11, 2026 - 10:12 nvd
MEDIUM 6.4

DescriptionCVE.org

Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization can leverage this functionality to execute authentication logic on other organizations and sub-organizations.

This flaw allows bypassing authorization boundaries between organizations, leading to unauthorized access to critical operations and user accounts in other organizations. When adaptive authentication is enabled in a multi-organization deployment, a malicious actor with privileges to configure adaptive authentication in one organization could exploit this feature to perform critical operations in other organizations without authorization. This may result in privilege escalation, unauthorized access to resources, and potential account takeover across organizations.

AnalysisAI

WSO2 Identity Server in multi-organization deployments fails to validate organization context during adaptive authentication flow execution, allowing privileged users in one organization to trigger authentication logic on other organizations. An attacker with adaptive authentication configuration privileges can exploit this context validation gap to bypass authorization boundaries, escalate privileges, and gain unauthorized access to user accounts and resources across organizational boundaries.

Technical ContextAI

WSO2 Identity Server provides adaptive authentication capabilities through conditional authentication flows that dynamically adjust authentication requirements based on risk factors and user context. The vulnerability stems from insufficient validation of organization context when executing these adaptive authentication rules. In multi-tenant or multi-organization deployments where Identity Server enforces organizational isolation, the adaptive authentication module does not properly verify that authentication logic execution is scoped to the intended organization. This allows cross-organizational policy execution within a single Identity Server instance. The affected components include both the core WSO2 Identity Server and the Conditional Authentication User and Roles Related Functions module, which are responsible for defining and executing context-aware authentication policies.

RemediationAI

Apply the security patch from WSO2 security advisory WSO2-2025-4530 (available at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4530/) which includes organization context validation enforcement in adaptive authentication flow execution. Until patching is completed, restrict adaptive authentication configuration privileges strictly to administrators with explicit need-to-know for specific organizations, and implement audit logging on all adaptive authentication policy modifications to detect suspicious cross-organizational policy changes. Additionally, review existing adaptive authentication policies in multi-organization deployments to identify policies that may have been unexpectedly applied across organizational boundaries. Consider temporarily disabling adaptive authentication features on secondary organizations if multi-organization deployment is not critical to operations, though this may impact risk-based authentication capabilities.

CVE-2025-10470 HIGH
8.6 May 11

Memory exhaustion denial-of-service in WSO2 Identity Server's Magic Link authenticator allows remote unauthenticated att

CVE-2024-2374 HIGH
7.5 Apr 16

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the

CVE-2025-10908 HIGH
7.3 May 11

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authentic

CVE-2025-8591 MEDIUM
6.1 Jul 06

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, AP

CVE-2025-10503 MEDIUM
6.1 Apr 29

The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a

CVE-2025-6024 MEDIUM
6.1 Apr 16

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script

CVE-2025-12624 MEDIUM
6.0 Apr 16

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This fail

CVE-2024-1248 MEDIUM
5.3 Jul 04

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segrega

CVE-2024-0391 MEDIUM
5.3 May 11

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker

CVE-2025-13475 HIGH
7.3 Jul 04

Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS applicati

Share

CVE-2025-9973 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy