The vulnerability arises because the WSO2 Identity Server does not validate the organization context during adaptive authentication flows, a weakness identified as CWE‑284 and CWE‑863. As a result, a user who has permission to configure adaptive authentication in one organization can trigger authentication logic that is intended for other organizations. This allows the attacker to bypass authorization boundaries, gaining unauthorized access to sensitive operations, user accounts, and potentially taking ownership of accounts across multiple organizations. The impact is a significant escalation of privileges for the attacker within a multi-organization deployment.

WSO2 products affected include the Conditional Authentication User and Roles Related Functions component and the core WSO2 Identity Server. The vulnerability applies to all versions of these components that handle adaptive authentication without context validation; specific version details are not disclosed in the advisory.

The CVSS score of 6.4 places this flaw in the medium severity range. The EPSS score of less than 1% indicates a low probability of exploitation at present, and it is not listed in the CISA KEV catalog, suggesting no known active exploitation. However, the attack vector involves configuration privileges within an organization; an attacker who can modify adaptive authentication policies can activate the exploit locally within the same deployment. The grant of such privileges is a prerequisite, so the scope is limited to systems where this administrative authority exists. Once triggered, the attacker gains far‑beyond the intended authorization boundaries, potentially accessing all resources in target organizations.