Skip to main content

Wso2 Identity Server

11 CVEs product

Monthly

CVE-2025-8591 MEDIUM PATCH This Month

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.

XSS Wso2 Identity Server Wso2 Api Manager Wso2 Api Control Plane Wso2 Traffic Manager +4
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-1248 MEDIUM This Month

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wso2 Api Manager Wso2 Identity Server Wso2 Identity Server As Key Manager Wso2 Open Banking Am +1
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-13475 HIGH PATCH This Week

Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS application in one tenant inherit OAuth/OpenID consent that a user granted to a same-named application in a different tenant, breaking tenant isolation of authorization scopes. Because matching is done by application name rather than a tenant-scoped identifier, an application in attacker-controlled tenant B can read and modify a victim's data in tenant A without that user's explicit authorization. No active exploitation is reported (not in CISA KEV, EPSS 0.15%/4th percentile) and no public exploit is identified, but a vendor patch is available.

Authentication Bypass Wso2 Identity Server Wso2 Api Manager
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-10470 HIGH PATCH This Week

Memory exhaustion denial-of-service in WSO2 Identity Server's Magic Link authenticator allows remote unauthenticated attackers to crash the authentication service by flooding invalid login requests without rate limiting. The vulnerability affects deployments using the Magic Link authentication flow and has an EPSS score indicating moderate exploitation likelihood. WSO2 has published a security advisory (WSO2-2025-4469) with remediation guidance for affected Identity Server and Carbon MagicLink Authenticator Module installations.

Denial Of Service Wso2 Identity Server Wso2 Carbon Magiclink Authenticator Module
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-9973 MEDIUM PATCH This Month

WSO2 Identity Server in multi-organization deployments fails to validate organization context during adaptive authentication flow execution, allowing privileged users in one organization to trigger authentication logic on other organizations. An attacker with adaptive authentication configuration privileges can exploit this context validation gap to bypass authorization boundaries, escalate privileges, and gain unauthorized access to user accounts and resources across organizational boundaries.

Authentication Bypass Privilege Escalation Wso2 Identity Server Conditional Authentication User And Roles Related Functions
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-10908 HIGH PATCH This Week

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.

Authentication Bypass Information Disclosure Wso2 Identity Server Wso2 Carbon Magiclink Authenticator Module
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2024-0391 MEDIUM PATCH This Month

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wso2 Identity Server Wso2 Open Banking Iam Wso2 Identity Server As Key Manager Email Otp Authenticator +1
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-10503 MEDIUM PATCH This Month

The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.

XSS Wso2 Identity Server
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-12624 MEDIUM PATCH This Month

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.

Authentication Bypass Wso2 Identity Server
NVD VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-6024 MEDIUM PATCH This Month

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.

XSS Wso2 Api Manager Wso2 Identity Server
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-2374 HIGH PATCH This Week

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Denial Of Service Wso2 Api Manager Wso2 Identity Server Wso2 Open Banking Am +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.

XSS Wso2 Identity Server Wso2 Api Manager +6
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wso2 Api Manager Wso2 Identity Server +3
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS application in one tenant inherit OAuth/OpenID consent that a user granted to a same-named application in a different tenant, breaking tenant isolation of authorization scopes. Because matching is done by application name rather than a tenant-scoped identifier, an application in attacker-controlled tenant B can read and modify a victim's data in tenant A without that user's explicit authorization. No active exploitation is reported (not in CISA KEV, EPSS 0.15%/4th percentile) and no public exploit is identified, but a vendor patch is available.

Authentication Bypass Wso2 Identity Server Wso2 Api Manager
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Memory exhaustion denial-of-service in WSO2 Identity Server's Magic Link authenticator allows remote unauthenticated attackers to crash the authentication service by flooding invalid login requests without rate limiting. The vulnerability affects deployments using the Magic Link authentication flow and has an EPSS score indicating moderate exploitation likelihood. WSO2 has published a security advisory (WSO2-2025-4469) with remediation guidance for affected Identity Server and Carbon MagicLink Authenticator Module installations.

Denial Of Service Wso2 Identity Server Wso2 Carbon Magiclink Authenticator Module
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

WSO2 Identity Server in multi-organization deployments fails to validate organization context during adaptive authentication flow execution, allowing privileged users in one organization to trigger authentication logic on other organizations. An attacker with adaptive authentication configuration privileges can exploit this context validation gap to bypass authorization boundaries, escalate privileges, and gain unauthorized access to user accounts and resources across organizational boundaries.

Authentication Bypass Privilege Escalation Wso2 Identity Server +1
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.

Authentication Bypass Information Disclosure Wso2 Identity Server +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wso2 Identity Server Wso2 Open Banking Iam +3
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.

XSS Wso2 Identity Server
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.

Authentication Bypass Wso2 Identity Server
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.

XSS Wso2 Api Manager Wso2 Identity Server
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Denial Of Service Wso2 Api Manager +4
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy