Potential Broken Access Control in Multiple WSO2 Products via System...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.

Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.

Basic Information

ID CVE-2025-10611

Source WSO2

Published Oct 16, 2025 at 12:09

Modified Oct 16, 2025 at 13:24

Affected Product

Vendor WSO2

Product WSO2 API Manager

Affected Versions WSO2 WSO2 API Manager 2.1.0
WSO2 WSO2 API Manager 2.2.0
WSO2 WSO2 API Manager 2.5.0
WSO2 WSO2 API Manager 2.6.0
WSO2 WSO2 API Manager 3.0.0
WSO2 WSO2 API Manager 3.1.0
WSO2 WSO2 API Manager 3.2.0
WSO2 WSO2 API Manager 3.2.1
WSO2 WSO2 API Manager 4.0.0
WSO2 WSO2 API Manager 4.1.0
WSO2 WSO2 API Manager 4.2.0
WSO2 WSO2 API Manager 4.3.0
WSO2 WSO2 API Manager 4.4.0
WSO2 WSO2 API Manager 4.5.0
WSO2 WSO2 API Control Plane 4.5.0
WSO2 WSO2 Open Banking AM 1.4.0
WSO2 WSO2 Open Banking AM 1.5.0
WSO2 WSO2 Open Banking AM 2.0.0
WSO2 WSO2 Open Banking IAM 2.0.0
WSO2 WSO2 Identity Server 5.3.0
WSO2 WSO2 Identity Server 5.5.0
WSO2 WSO2 Identity Server 5.6.0
WSO2 WSO2 Identity Server 5.7.0
WSO2 WSO2 Identity Server 5.8.0
WSO2 WSO2 Identity Server 5.9.0
WSO2 WSO2 Identity Server 5.10.0
WSO2 WSO2 Identity Server 5.11.0
WSO2 WSO2 Identity Server 6.0.0
WSO2 WSO2 Identity Server 6.1.0
WSO2 WSO2 Identity Server 7.0.0
WSO2 WSO2 Identity Server 7.1.0
WSO2 WSO2 Identity Server as Key Manager 5.3.0
WSO2 WSO2 Identity Server as Key Manager 5.5.0
WSO2 WSO2 Identity Server as Key Manager 5.6.0
WSO2 WSO2 Identity Server as Key Manager 5.7.0
WSO2 WSO2 Identity Server as Key Manager 5.9.0
WSO2 WSO2 Identity Server as Key Manager 5.10.0
WSO2 WSO2 Open Banking KM 1.4.0
WSO2 WSO2 Open Banking KM 1.5.0
WSO2 WSO2 Universal Gateway 4.5.0
WSO2 WSO2 Traffic Manager 4.5.0
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.1
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.16
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.18
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.20
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.26
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.3.6
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.4.0
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.4.25
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.4.52
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.6.1
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.7.1
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.8.11
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.8.41
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.9.4
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.9.18
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.8
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.1.1
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.1.16
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.1.18
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.1.20
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.1.26
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.3.6
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.4.0
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.4.25
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.4.52
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.6.1
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.7.1
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.8.11
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.8.41
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.9.4
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.9.18
WSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.8

References

security.docs.wso2.com /en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/

{
    "lastseen": "",
    "description": "Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.\n\nSuccessful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.",
    "published": "2025-10-16T12:09:31.802Z",
    "modified": "2025-10-16T13:24:50.489Z",
    "type": "cve",
    "title": "Potential Broken Access Control in Multiple WSO2 Products via System REST APIs",
    "source": "WSO2",
    "references": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/",
    "id": "CVE-2025-10611",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "WSO2 WSO2 API Manager 2.1.0\nWSO2 WSO2 API Manager 2.2.0\nWSO2 WSO2 API Manager 2.5.0\nWSO2 WSO2 API Manager 2.6.0\nWSO2 WSO2 API Manager 3.0.0\nWSO2 WSO2 API Manager 3.1.0\nWSO2 WSO2 API Manager 3.2.0\nWSO2 WSO2 API Manager 3.2.1\nWSO2 WSO2 API Manager 4.0.0\nWSO2 WSO2 API Manager 4.1.0\nWSO2 WSO2 API Manager 4.2.0\nWSO2 WSO2 API Manager 4.3.0\nWSO2 WSO2 API Manager 4.4.0\nWSO2 WSO2 API Manager 4.5.0\nWSO2 WSO2 API Control Plane 4.5.0\nWSO2 WSO2 Open Banking AM 1.4.0\nWSO2 WSO2 Open Banking AM 1.5.0\nWSO2 WSO2 Open Banking AM 2.0.0\nWSO2 WSO2 Open Banking IAM 2.0.0\nWSO2 WSO2 Identity Server 5.3.0\nWSO2 WSO2 Identity Server 5.5.0\nWSO2 WSO2 Identity Server 5.6.0\nWSO2 WSO2 Identity Server 5.7.0\nWSO2 WSO2 Identity Server 5.8.0\nWSO2 WSO2 Identity Server 5.9.0\nWSO2 WSO2 Identity Server 5.10.0\nWSO2 WSO2 Identity Server 5.11.0\nWSO2 WSO2 Identity Server 6.0.0\nWSO2 WSO2 Identity Server 6.1.0\nWSO2 WSO2 Identity Server 7.0.0\nWSO2 WSO2 Identity Server 7.1.0\nWSO2 WSO2 Identity Server as Key Manager 5.3.0\nWSO2 WSO2 Identity Server as Key Manager 5.5.0\nWSO2 WSO2 Identity Server as Key Manager 5.6.0\nWSO2 WSO2 Identity Server as Key Manager 5.7.0\nWSO2 WSO2 Identity Server as Key Manager 5.9.0\nWSO2 WSO2 Identity Server as Key Manager 5.10.0\nWSO2 WSO2 Open Banking KM 1.4.0\nWSO2 WSO2 Open Banking KM 1.5.0\nWSO2 WSO2 Universal Gateway 4.5.0\nWSO2 WSO2 Traffic Manager 4.5.0\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.1\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.16\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.18\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.20\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.26\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.3.6\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.4.0\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.4.25\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.4.52\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.6.1\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.7.1\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.8.11\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.8.41\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.9.4\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.9.18\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.8\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.1.1\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.1.16\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.1.18\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.1.20\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.1.26\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.3.6\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.4.0\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.4.25\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.4.52\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.6.1\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.7.1\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.8.11\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.8.41\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.9.4\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.9.18\nWSO2 org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve 1.8",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WSO2 API Manager",
    "version": "0",
    "vendor": "WSO2",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Potential Broken Access Control in Multiple WSO2 Products via System REST APIs_CVE-2025-10611

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply