Description
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.

By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.
Published: 2026-04-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read and Denial of Service
Action: Immediate Patch
AI Analysis

Impact

WSO2 products process XML data without disallowing external entities, which lets attackers inject malicious XML that causes the parser to request external resources. This flaw permits reading confidential system files and accessing limited remote HTTP resources, and can also lead to denial of service by exhausting server CPU or memory when entities recurse or trigger large external downloads.

Affected Systems

The vulnerability affects WSO2 API Manager, WSO2 Identity Server, WSO2 Identity Server as Key Manager, WSO2 Open Banking AM, and WSO2 Open Banking IAM. No specific affected version numbers are listed, so all releases before the vendor’s remediation are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact, with confidentiality and availability risks. EPSS data is not available and the issue is not in CISA’s KEV catalog. An attacker must supply crafted XML to the vulnerable component, which is likely accessible via exposed APIs or configuration endpoints. Once the XML is parsed, the external entity resolution leads to arbitrary file access or resource exhaustion, enabling the DoS attack.

Generated by OpenCVE AI on April 17, 2026 at 03:27 UTC.

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/#solution

OpenCVE Recommended Actions

  • Apply the vendor-supplied patch and configuration adjustments as described in the WSO2 security advisory at the provided URL.
  • After patching, verify that the XML parser’s external entity resolution feature is disabled and that DTD processing is turned off for all inbound XML streams.
  • Continuously monitor application logs for abnormal XML parsing activity and restrict inbound XML access to trusted sources only.

Generated by OpenCVE AI on April 17, 2026 at 03:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_am:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_iam:*:*:*:*:*:*:*:*

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wso2 api Manager
Wso2 identity Server
Wso2 identity Server As Key Manager
Wso2 open Banking Am
Wso2 open Banking Iam
Vendors & Products Wso2 api Manager
Wso2 identity Server
Wso2 identity Server As Key Manager
Wso2 open Banking Am
Wso2 open Banking Iam

Thu, 16 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.
Title XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service
First Time appeared Wso2
Wso2 wso2 Api Manager
Wso2 wso2 Identity Server
Wso2 wso2 Identity Server As Key Manager
Wso2 wso2 Open Banking Am
Wso2 wso2 Open Banking Iam
Weaknesses CWE-611
CPEs cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*
Vendors & Products Wso2
Wso2 wso2 Api Manager
Wso2 wso2 Identity Server
Wso2 wso2 Identity Server As Key Manager
Wso2 wso2 Open Banking Am
Wso2 wso2 Open Banking Iam
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wso2 Api Manager Identity Server Identity Server As Key Manager Open Banking Am Open Banking Iam Wso2 Api Manager Wso2 Identity Server Wso2 Identity Server As Key Manager Wso2 Open Banking Am Wso2 Open Banking Iam
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-04-16T12:30:49.250Z

Reserved: 2024-03-11T13:41:10.687Z

Link: CVE-2024-2374

cve-icon Vulnrichment

Updated: 2026-04-16T12:29:16.446Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-16T09:16:34.967

Modified: 2026-04-23T15:36:05.877

Link: CVE-2024-2374

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:30:08Z

Weaknesses