Description
The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service condition.

Successful exploitation of this vulnerability can disrupt the API Gateway, preventing legitimate API traffic from being processed and impacting complete service availability. The denial of service is persistent, requiring manual intervention to restore normal operations.
Published: 2026-07-06
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the throttling event handler in multiple WSO2 products, which accepts user-supplied JSON payloads without sufficient validation. An unauthenticated remote attacker can craft malicious JSON and send it, triggering a related services. The disruption is permanent and requires manual intervention to restore normal operations.

Affected Systems

WSO2 API Control Plane, WSO2 API Manager, WSO2 Traffic Manager, and WSO2 Universal Gateway. All current versions of these products are affected.

Risk and Exploitability

With a CVSS score of 8.6 the vulnerability is classified as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is unauthenticated remote, relying on sending malicious JSON to the throttling event API; no authentication or privileged access is required.

Generated by OpenCVE AI on July 6, 2026 at 16:57 UTC.

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5236/#solution


OpenCVE Recommended Actions

  • Apply the patch or upgrade to the fixed versions following the instructions in the WSO2 2026-5236 solution document (https/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5236/#solution).
  • If patching is not immediately possible, temporarily restrict or disable the throttling event endpoint using firewall rules or configuration changes to prevent unauthenticated access.
  • Continuously monitor application logs for malformed JSON payloads and schedule automatic or manual service restarts if a persistent denial of service condition is detected.

Generated by OpenCVE AI on July 6, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
Description The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service condition. Successful exploitation of this vulnerability can disrupt the API Gateway, preventing legitimate API traffic from being processed and impacting complete service availability. The denial of service is persistent, requiring manual intervention to restore normal operations.
Title Denial of Service via Malicious JSON Payloads in Throttling Events in Multiple WSO2 Products Causing Persistent Service Disruption
First Time appeared Wso2
Wso2 wso2 Api Control Plane
Wso2 wso2 Api Manager
Wso2 wso2 Traffic Manager
Wso2 wso2 Universal Gateway
Weaknesses CWE-707
CPEs cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*
Vendors & Products Wso2
Wso2 wso2 Api Control Plane
Wso2 wso2 Api Manager
Wso2 wso2 Traffic Manager
Wso2 wso2 Universal Gateway
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}


Subscriptions

Wso2 Wso2 Api Control Plane Wso2 Api Manager Wso2 Traffic Manager Wso2 Universal Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-07-06T11:03:48.847Z

Reserved: 2026-03-16T05:47:35.673Z

Link: CVE-2026-4249

cve-icon Vulnrichment

Updated: 2026-07-06T11:03:28.003Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:00:05Z

Weaknesses