Description
The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests.

Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.
Published: 2026-06-26
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WSO2 API Manager's message flow component does not validate user‑controlled input in WS‑Addressing headers, allowing an attacker to tamper with these headers and direct server‑initiated requests to arbitrary destinations. Because the platform lacks proper input validation for these headers, a malicious actor can forge requests to communicate with internal services that are otherwise inaccessible from the public network. Successful exploitation thus results in unauthorized internal network access rather than direct code execution on the API Manager host.

Affected Systems

All releases of WSO2 API Manager are potentially affected. The advisory does not specify a concrete version range, so any instance of the product should be examined for the presence of the flaw.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, and while an EPSS score is not available, the known lack of authentication requirement points to a readily exploitable vector over the public network. An attacker does not need credentials and can send a crafted SOAP message containing forged WS‑Addressing headers to the API Manager, causing it to reach out to a target of the attacker's choice. Because the vulnerability is not mitigated by the internal network perimeter, compromised internal services are at risk. The advisory does not list this issue in the CISA KEV catalog, but the high CVSS and easy exploitation warrant priority patching.

Generated by OpenCVE AI on June 26, 2026 at 08:20 UTC.

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5072/#solution

OpenCVE Recommended Actions

  • Review the WSO2 security advisory WSO2-2026-5072 and download the published patch or configuration update that addresses the WS‑Addressing input validation flaw.
  • Deploy the patch or apply the configuration change to all running instances of WSO2 API Manager, then restart the services to ensure the fix takes effect.
  • If immediate patch deployment is not possible, restrict inbound SOAP traffic to trusted IP addresses or temporarily disable the WS‑Addressing endpoint as a stop‑gap measure until the official fix is applied.

Generated by OpenCVE AI on June 26, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wso2
Wso2 wso2 Api Manager
Vendors & Products Wso2
Wso2 wso2 Api Manager

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests. Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.
Title Unauthenticated Server-Side Request Forgery via WS-Addressing in WSO2 API Manager
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Wso2 Wso2 Api Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-06-26T16:10:15.803Z

Reserved: 2026-02-06T06:12:48.334Z

Link: CVE-2026-2053

cve-icon Vulnrichment

Updated: 2026-06-26T16:09:57.476Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T11:00:14Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)