Skip to main content

WSO2 API Manager EUVDEUVD-2026-41871

| CVE-2026-4249 HIGH
Improper Neutralization (CWE-707)
2026-07-06 WSO2 GHSA-7469-8h9r-c5xc
8.6
CVSS 3.1 · Vendor: WSO2
Share

Severity by source

Vendor (WSO2) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
8.6 HIGH

Unauthenticated network-reachable throttling endpoint (AV:N/PR:N/AC:L), no user interaction, availability-only impact with scope change since one component's input takes down the separate Gateway (S:C/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (WSO2).

CVSS VectorVendor: WSO2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 12:01 EUVD
Analysis Generated
Jul 06, 2026 - 10:57 vuln.today

DescriptionCVE.org

The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service condition.

Successful exploitation of this vulnerability can disrupt the API Gateway, preventing legitimate API traffic from being processed and impacting complete service availability. The denial of service is persistent, requiring manual intervention to restore normal operations.

AnalysisAI

Persistent denial of service in multiple WSO2 products - including WSO2 API Manager, WSO2 Universal Gateway, WSO2 Traffic Manager, and WSO2 API Control Plane - allows an unauthenticated remote attacker to send malicious JSON payloads to the throttling event handling mechanism, crashing or corrupting API Gateway state so that legitimate API traffic can no longer be processed. Because the outage is persistent and requires manual intervention to restore service, and the CVSS scope is changed (S:C), a single request can take down the entire API Gateway tier. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed WSO2 throttling endpoint
Delivery
Craft malicious JSON throttling event
Exploit
Submit payload unauthenticated over network
Execution
Bypass insufficient structure validation
Persist
Corrupt/crash throttling event handler
Impact
Persistent API Gateway service outage

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the throttling event handling mechanism of a WSO2 API management product (API Manager, Universal Gateway, Traffic Manager, or API Control Plane) that accepts and processes JSON throttling-event payloads. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine operational priority for anyone exposing WSO2 API Manager/Gateway to untrusted networks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the network sends a crafted, structurally malformed JSON throttling-event payload to an exposed WSO2 throttling endpoint without any authentication. The malformed data is processed by the throttling event handler and drives the API Gateway into a broken state that persists across the request, so legitimate API calls stop being served until an operator manually restarts or repairs the affected nodes. …
Remediation Apply the fix described in the WSO2 vendor advisory WSO2-2026-5236 (https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5236/); a patch is available per the vendor advisory, but an exact fixed version string is not present in the provided data and should be taken directly from that advisory or the corresponding WSO2 update level / WUM patch for your product version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WSO2 product instances in production and assess API traffic volume to determine blast radius. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41871 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy