cbcvebase.

Wso2 Identity Server vulnerabilities

43 known vulnerabilities affecting wso2/wso2_identity_server.

Total CVEs
43
CISA KEV
0
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL5HIGH11MEDIUM26LOW1

Vulnerabilities

Page 1 of 3
CVE-2025-5605P1MEDIUMCVSS 5.3ExploitedPoC≥ 5.10.0, < 5.10.0.361≥ 5.11.0, < 5.11.0.414+4 more2025-10-24
CVE-2025-5605 [MEDIUM] CWE-290 CVE-2025-5605: An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics
nvd
CVE-2024-7097P2MEDIUMCVSS 4.3ExploitedPoC≥ 5.2.0, < 5.2.0.32≥ 5.3.0, < 5.3.0.33+12 more2025-05-30
CVE-2024-7097 [MEDIUM] CWE-863 CVE-2024-7097: An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an
nvd
CVE-2025-9312P2CRITICALCVSS 9.8≥ 5.2.0, < 5.2.0.33≥ 5.3.0, < 5.3.0.34+13 more2025-11-18
CVE-2025-9312 [CRITICAL] CWE-306 CVE-2025-9312: A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation us A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is
nvd
CVE-2025-10611P2CRITICALCVSS 9.8≥ 5.3.0, < 5.3.0.39≥ 5.5.0, < 5.5.0.54+10 more2025-10-16
CVE-2025-10611 [CRITICAL] CWE-863 CVE-2025-10611: Due to an insufficient access control implementation in multiple WSO2 Products, authentication and a Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthentic
nvd
CVE-2024-6914P2CRITICALCVSS 9.8≥ 5.3.0, < 5.3.0.31≥ 5.4.0, < 5.4.0.30+11 more2025-05-22
CVE-2024-6914 [CRITICAL] CWE-863 CVE-2024-6914: An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic fl An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability
nvd
CVE-2025-10713P3CRITICALCVSS 9.1≥ 5.10.0, < 5.10.0.373≥ 5.11.0, < 5.11.0.417+1 more2025-11-05
CVE-2025-10713 [CRITICAL] CWE-611 CVE-2025-10713: An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configur An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could enable a remote, unauthenticated attacker to read sensitive files from t
nvd
CVE-2024-2374P3CRITICALCVSS 9.1≥ 5.10.0, < 5.10.0.300≥ 5.11.0, < 5.11.0.329+2 more2026-04-16
CVE-2024-2374 [CRITICAL] CWE-611 CVE-2024-2374: The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configu The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can rea
nvd
CVE-2025-10470P3HIGHCVSS 8.6≥ 7.0.0, < 7.0.0.1212026-05-11
CVE-2025-10470 [HIGH] CWE-400 CVE-2025-10470: The Magic Link authentication flow accepts multiple invalid authentication requests without adequate The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is lim
nvd
CVE-2025-10907P3HIGHCVSS 7.2≥ 5.10.0, < 5.10.0.375≥ 5.11.0, < 5.11.0.419+4 more2025-11-05
CVE-2025-10907 [HIGH] CWE-434 CVE-2025-10907: An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validati An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment. Successful exploitation may lead to remote code exe
nvd
CVE-2025-9973P3HIGHCVSS 7.2≥ 7.1.0, < 7.1.0.262026-05-11
CVE-2025-9973 [HIGH] CWE-284 CVE-2025-9973: Due to not validating the organization context when executing adaptive authentication flows, the WSO Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization can leverage this functionality to execute authentication lo
nvd
CVE-2025-3125P3HIGHCVSS 7.2≥ 5.10.0, < 5.10.0.360≥ 5.11.0, < 5.11.0.399+4 more2025-11-05
CVE-2025-3125 [HIGH] CWE-434 CVE-2025-3125: An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input valida An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is
nvd
CVE-2025-1862P3HIGHCVSS 7.2≥ 5.10.0, < 5.10.0.347≥ 5.11.0, < 5.11.0.396+2 more2025-09-26
CVE-2025-1862 [HIGH] CWE-434 CVE-2025-1862: An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation o An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server. By leveraging this vulnerability, an attacker can upload a spe
nvd
CVE-2023-6837P3HIGHCVSS 8.2≥ 5.6.0, < 5.6.0.16≥ 5.7.0, < 5.7.0.35+4 more2023-12-15
CVE-2023-6837 [HIGH] CWE-863 CVE-2023-6837: Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT pr Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option
nvd
CVE-2024-1524P3HIGHCVSS 8.1≥ 6.0.0, < 6.0.0.171≥ 6.1.0, < 6.1.0.1282026-02-24
CVE-2024-1524 [HIGH] CWE-290 CVE-2024-1524: When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (ID When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will be no impact on your deployment if any of the precondi
nvd
CVE-2025-5350P4MEDIUMCVSS 4.8PoC≥ 5.10.0, < 5.10.0.359≥ 5.11.0, < 5.11.0.415+4 more2025-10-24
CVE-2025-5350 [MEDIUM] CWE-79 CVE-2025-5350: SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response,
nvd
CVE-2025-12107P3HIGHCVSS 7.2≥ 5.11.0.130, < 5.11.0.2992026-02-19
CVE-2025-12107 [HIGH] CWE-1336 CVE-2025-12107: Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin pr Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potent
nvd
CVE-2025-6670P3HIGHCVSS 8.8≥ 5.10.0, < 5.10.0.378≥ 5.11.0, < 5.11.0.425+5 more2025-11-18
CVE-2025-6670 [HIGH] CWE-352 CVE-2025-6670: A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows co
nvd
CVE-2025-10908P3HIGHCVSS 7.3≥ 6.0.0, < 6.0.0.249≥ 6.1.0, < 6.1.0.248+2 more2026-05-11
CVE-2025-10908 [HIGH] CWE-863 CVE-2025-10908: Due to a lack of user account state validation during authentication, locked user accounts can be su Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data
nvd
CVE-2025-9804P3MEDIUMCVSS 6.5≥ 5.2.0, < 5.2.0.34≥ 5.3.0, < 5.3.0.36+13 more2025-10-16
CVE-2025-9804 [MEDIUM] CWE-284 CVE-2025-9804: An improper access control vulnerability exists in multiple WSO2 products due to insufficient permis An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal admini
nvd
CVE-2023-6836P3HIGHCVSS 7.5≥ 5.4.0.0, < 5.4.0.1≥ 5.4.1.0, < 5.4.1.1+2 more2023-12-15
CVE-2023-6836 [HIGH] CWE-611 CVE-2023-6836: Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
nvd
Wso2 Identity Server vulnerabilities | cvebase