Description
The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions.

A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.
Published: 2026-05-11
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the software fails to enforce role‑based access controls for selected Gateway API calls. Users assigned to the default 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks and allowing them to carry out sensitive operations that should be restricted. The impact is that an attacker with a valid account can execute privileged actions against the Gateway REST API and, in some cases, internal service APIs exposed in certain WSO2 APIM 3.x installations, potentially leading to misuse or unintended behavior, especially in production environments.

Affected Systems

The affected products are the WSO2 API Control Plane, WSO2 API Manager, WSO2 Carbon API Management Implementation, WSO2 Carbon API Manager Rest API Utility, WSO2 Traffic Manager, and WSO2 Universal Gateway. Exact versions are not provided; however, the description indicates that WSO2 APIM 3.x releases are impacted.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. The EPSS score of less than 1 % means the likelihood of exploitation in the wild is low, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be remote or local access to the Gateway REST API, because an authenticated user with any valid account can exploit the flaw. No additional hardening beyond the vendor’s patch is described in the advisory.

Generated by OpenCVE AI on May 11, 2026 at 17:12 UTC.

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4401/#solution

OpenCVE Recommended Actions

  • Apply the vendor’s published patch or upgrade path as documented on the WSO2 security advisory website
  • Restrict the 'Internal/Everyone' role so that only trusted users can access Gateway APIs
  • Review and enforce stricter role‑based permissions on the internal service APIs that are exposed by the Gateway

Generated by OpenCVE AI on May 11, 2026 at 17:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.
Title Improper Access Control via Gateway API in Multiple WSO2 Products Allows Unauthorized Operations
First Time appeared Wso2
Wso2 wso2 Api Control Plane
Wso2 wso2 Api Manager
Wso2 wso2 Carbon Api Management Implementation
Wso2 wso2 Carbon Api Manager Rest Api Utility
Wso2 wso2 Traffic Manager
Wso2 wso2 Universal Gateway
Weaknesses CWE-281
CPEs cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_carbon_api_management_implementation:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_carbon_api_manager_rest_api_utility:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*
Vendors & Products Wso2
Wso2 wso2 Api Control Plane
Wso2 wso2 Api Manager
Wso2 wso2 Carbon Api Management Implementation
Wso2 wso2 Carbon Api Manager Rest Api Utility
Wso2 wso2 Traffic Manager
Wso2 wso2 Universal Gateway
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Wso2 Wso2 Api Control Plane Wso2 Api Manager Wso2 Carbon Api Management Implementation Wso2 Carbon Api Manager Rest Api Utility Wso2 Traffic Manager Wso2 Universal Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-05-11T12:41:26.715Z

Reserved: 2025-07-30T06:56:38.447Z

Link: CVE-2025-8325

cve-icon Vulnrichment

Updated: 2026-05-11T12:41:22.981Z

cve-icon NVD

Status : Received

Published: 2026-05-11T10:16:13.037

Modified: 2026-05-11T10:16:13.037

Link: CVE-2025-8325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:45:25Z

Weaknesses