EUVD-2025-209762
GHSA-xm8v-8xxf-7x94
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionNVD
Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization can leverage this functionality to execute authentication logic on other organizations and sub-organizations.
This flaw allows bypassing authorization boundaries between organizations, leading to unauthorized access to critical operations and user accounts in other organizations. When adaptive authentication is enabled in a multi-organization deployment, a malicious actor with privileges to configure adaptive authentication in one organization could exploit this feature to perform critical operations in other organizations without authorization. This may result in privilege escalation, unauthorized access to resources, and potential account takeover across organizations.
AnalysisAI
WSO2 Identity Server in multi-organization deployments fails to validate organization context during adaptive authentication flow execution, allowing privileged users in one organization to trigger authentication logic on other organizations. An attacker with adaptive authentication configuration privileges can exploit this context validation gap to bypass authorization boundaries, escalate privileges, and gain unauthorized access to user accounts and resources across organizational boundaries.
Technical ContextAI
WSO2 Identity Server provides adaptive authentication capabilities through conditional authentication flows that dynamically adjust authentication requirements based on risk factors and user context. The vulnerability stems from insufficient validation of organization context when executing these adaptive authentication rules. In multi-tenant or multi-organization deployments where Identity Server enforces organizational isolation, the adaptive authentication module does not properly verify that authentication logic execution is scoped to the intended organization. This allows cross-organizational policy execution within a single Identity Server instance. The affected components include both the core WSO2 Identity Server and the Conditional Authentication User and Roles Related Functions module, which are responsible for defining and executing context-aware authentication policies.
RemediationAI
Apply the security patch from WSO2 security advisory WSO2-2025-4530 (available at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4530/) which includes organization context validation enforcement in adaptive authentication flow execution. Until patching is completed, restrict adaptive authentication configuration privileges strictly to administrators with explicit need-to-know for specific organizations, and implement audit logging on all adaptive authentication policy modifications to detect suspicious cross-organizational policy changes. Additionally, review existing adaptive authentication policies in multi-organization deployments to identify policies that may have been unexpectedly applied across organizational boundaries. Consider temporarily disabling adaptive authentication features on secondary organizations if multi-organization deployment is not critical to operations, though this may impact risk-based authentication capabilities.
Share
External POC / Exploit Code
Leaving vuln.today