Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.
History

Tue, 21 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wso2
Wso2 api Control Plane
Wso2 api Manager
Wso2 carbon
Wso2 identity Server
Wso2 identity Server As Key Manager
Wso2 open Banking Am
Wso2 open Banking Iam
Wso2 open Banking Km
Wso2 traffic Manager
Wso2 universal Gateway
Vendors & Products Wso2
Wso2 api Control Plane
Wso2 api Manager
Wso2 carbon
Wso2 identity Server
Wso2 identity Server As Key Manager
Wso2 open Banking Am
Wso2 open Banking Iam
Wso2 open Banking Km
Wso2 traffic Manager
Wso2 universal Gateway

Thu, 16 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 16 Oct 2025 12:30:00 +0000

Type Values Removed Values Added
Description Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.
Title Potential Broken Access Control in Multiple WSO2 Products via System REST APIs
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published: 2025-10-16T12:09:31.802Z

Updated: 2025-10-16T13:34:31.799Z

Reserved: 2025-09-17T08:56:27.794Z

Link: CVE-2025-10611

cve-icon Vulnrichment

Updated: 2025-10-16T13:24:43.729Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-10-16T13:15:40.640

Modified: 2025-10-16T15:28:59.610

Link: CVE-2025-10611

cve-icon Redhat

No data.