Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Unauthenticated network-reachable throttling endpoint (AV:N/PR:N/AC:L), no user interaction, availability-only impact with scope change since one component's input takes down the separate Gateway (S:C/A:H).
Primary rating from Vendor (WSO2).
CVSS VectorVendor: WSO2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service condition.
Successful exploitation of this vulnerability can disrupt the API Gateway, preventing legitimate API traffic from being processed and impacting complete service availability. The denial of service is persistent, requiring manual intervention to restore normal operations.
AnalysisAI
Persistent denial of service in multiple WSO2 products - including WSO2 API Manager, WSO2 Universal Gateway, WSO2 Traffic Manager, and WSO2 API Control Plane - allows an unauthenticated remote attacker to send malicious JSON payloads to the throttling event handling mechanism, crashing or corrupting API Gateway state so that legitimate API traffic can no longer be processed. Because the outage is persistent and requires manual intervention to restore service, and the CVSS scope is changed (S:C), a single request can take down the entire API Gateway tier. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the throttling event handling mechanism of a WSO2 API management product (API Manager, Universal Gateway, Traffic Manager, or API Control Plane) that accepts and processes JSON throttling-event payloads. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine operational priority for anyone exposing WSO2 API Manager/Gateway to untrusted networks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the network sends a crafted, structurally malformed JSON throttling-event payload to an exposed WSO2 throttling endpoint without any authentication. The malformed data is processed by the throttling event handler and drives the API Gateway into a broken state that persists across the request, so legitimate API calls stop being served until an operator manually restarts or repairs the affected nodes. … |
| Remediation | Apply the fix described in the WSO2 vendor advisory WSO2-2026-5236 (https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5236/); a patch is available per the vendor advisory, but an exact fixed version string is not present in the provided data and should be taken directly from that advisory or the corresponding WSO2 update level / WUM patch for your product version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WSO2 product instances in production and assess API traffic volume to determine blast radius. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wso2 Universal Gateway
View allRole-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to
Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, AP
HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or over
Same weakness CWE-707 – Improper Neutralization
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41871
GHSA-7469-8h9r-c5xc