Skip to main content

WSO2 API Manager EUVDEUVD-2026-39638

| CVE-2026-2053 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-26 WSO2 GHSA-r865-x64g-f9mm
10.0
CVSS 3.1 · NVD
Share

Severity by source

Vendor (WSO2) PRIMARY
HIGH
qualitative
NVD
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.3 CRITICAL

Unauthenticated network SSRF with low complexity and scope change into internal systems; primary impact is reading internal resources (C:H) with limited integrity effect and no inherent availability loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (WSO2).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 27, 2026 - 19:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 27, 2026 - 19:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 27, 2026 - 19:52 vuln.today
cvss_changed
Severity Changed
Jun 27, 2026 - 19:52 NVD
HIGH CRITICAL
CVSS changed
Jun 27, 2026 - 19:52 NVD
8.3 (HIGH) 10.0 (CRITICAL)
Patch available
Jun 26, 2026 - 09:01 EUVD
Analysis Generated
Jun 26, 2026 - 08:19 vuln.today

DescriptionNVD

The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests.

Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.

AnalysisAI

Server-side request forgery in WSO2 API Manager lets unauthenticated remote attackers coerce the gateway into making server-initiated requests to attacker-chosen destinations by injecting crafted WS-Addressing headers into the message flow. Because the API Manager typically sits at the network edge with reachability into internal systems, this allows pivoting to otherwise unreachable internal resources and services. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-facing WSO2 API gateway
Delivery
Craft SOAP request with malicious WS-Addressing header
Exploit
Gateway fails to validate destination
Execution
Server issues request to internal target
Impact
Access or probe internal services

Vulnerability AssessmentAI

Exploitation Exploitation requires that the WSO2 API Manager process inbound messages through the message-flow/mediation component that handles WS-Addressing headers - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external attacker sends a crafted SOAP request to an internet-facing WSO2 API Manager with a malicious WS-Addressing ReplyTo/To header pointing at an internal address (for example a cloud metadata service or an internal admin endpoint). The gateway, without authentication, issues a server-initiated request to that destination, letting the attacker reach or probe internal services unreachable from outside. …
Remediation Patch available per vendor advisory WSO2-2026-5072: apply the patched WUM/update level for your release line - 3.1.0.360, 3.2.0.465, 3.2.1.84, 4.0.0.385, or 4.2.0.189 or later as applicable (https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5072/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WSO2 API Manager instances and confirm external network exposure and internal connectivity scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4249 HIGH
8.6 Jul 06

Persistent denial of service in multiple WSO2 products - including WSO2 API Manager, WSO2 Universal Gateway, WSO2 Traffi

CVE-2024-2374 HIGH
7.5 Apr 16

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the

CVE-2025-8325 MEDIUM
6.3 May 11

Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to

CVE-2025-8591 MEDIUM
6.1 Jul 06

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, AP

CVE-2024-10242 MEDIUM
6.1 Apr 16

The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response.

CVE-2025-6024 MEDIUM
6.1 Apr 16

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script

CVE-2024-4867 MEDIUM
5.4 Apr 16

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or p

CVE-2024-1248 MEDIUM
5.3 Jul 04

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segrega

CVE-2025-8154 MEDIUM
5.3 May 11

HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or over

CVE-2025-13475 HIGH
7.3 Jul 04

Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS applicati

CVE-2024-8010 LOW
3.5 Apr 16

The component accepts XML input through the publisher without disabling external entity resolution. Rated low severity (

Share

EUVD-2026-39638 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy