Description
In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses.

By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.
Published: 2026-05-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WSO2 Webhook API accepts user‑supplied values for HTTP request headers without sufficient validation, allowing those values to be injected into the response. This defect lets an attacker set or overwrite arbitrary response headers, potentially manipulating browser caching, tampering with security‑related headers, or exposing sensitive data such as cookie contents, which could enable session hijacking or other malicious activities. The weakness is classified as CWE‑74, indicating unsanitized header injection.

Affected Systems

WSO2 products such as API Manager, API Control Plane, Carbon API Gateway, Carbon API Management Implementation, Traffic Manager, and Universal Gateway are affected. No specific product versions are listed; users should check the WSO2 security advisory for the latest patch release.

Risk and Exploitability

The CVSS score of 5.3 places this vulnerability in the moderate range. The EPSS score of less than 1 % indicates a very low probability of exploitation at present. It is not listed in the CISA KEV catalog. The likely attack vector is remote: an attacker can trigger the flaw by sending a crafted request to the Webhook API. No confirmed exploitation is reported yet, but the impact on session integrity and header control warrants timely remediation.

Generated by OpenCVE AI on May 11, 2026 at 17:40 UTC.

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4410/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4410/#solution

OpenCVE Recommended Actions

  • Update the affected WSO2 components to the latest version following the instructions in WSO2’s security advisory.
  • If an immediate upgrade is not feasible, restrict access to the Webhook API to trusted IPs or networks and enforce additional authentication to limit exposure.
  • Implement custom input validation or header sanitization for the webhook endpoint as a temporary measure to prevent header injection.

Generated by OpenCVE AI on May 11, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.
Title HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation
First Time appeared Wso2
Wso2 wso2 Api Control Plane
Wso2 wso2 Api Manager
Wso2 wso2 Carbon Api Gateway
Wso2 wso2 Carbon Api Management Implementation
Wso2 wso2 Traffic Manager
Wso2 wso2 Universal Gateway
Weaknesses CWE-74
CPEs cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_carbon_api_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*
Vendors & Products Wso2
Wso2 wso2 Api Control Plane
Wso2 wso2 Api Manager
Wso2 wso2 Carbon Api Gateway
Wso2 wso2 Carbon Api Management Implementation
Wso2 wso2 Traffic Manager
Wso2 wso2 Universal Gateway
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Wso2 Wso2 Api Control Plane Wso2 Api Manager Wso2 Carbon Api Gateway Wso2 Carbon Api Management Implementation Wso2 Traffic Manager Wso2 Universal Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-05-11T12:43:47.037Z

Reserved: 2025-07-25T06:42:23.104Z

Link: CVE-2025-8154

cve-icon Vulnrichment

Updated: 2026-05-11T12:43:43.481Z

cve-icon NVD

Status : Received

Published: 2026-05-11T10:16:12.863

Modified: 2026-05-11T10:16:12.863

Link: CVE-2025-8154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:45:26Z

Weaknesses