An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations.
History

Tue, 21 Oct 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wso2
Wso2 api Control Plane
Wso2 api Manager
Vendors & Products Wso2
Wso2 api Control Plane
Wso2 api Manager

Fri, 17 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306

Thu, 16 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 16 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
Description An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations.
Title Improper Privilege Management in Multiple WSO2 API Manager via keymanager-operations DCR Endpoint
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published: 2025-10-16T12:37:00.966Z

Updated: 2025-10-17T16:00:41.854Z

Reserved: 2025-08-19T08:48:03.616Z

Link: CVE-2025-9152

cve-icon Vulnrichment

Updated: 2025-10-16T12:57:59.271Z

cve-icon NVD

Status : Analyzed

Published: 2025-10-16T13:15:41.840

Modified: 2025-10-21T18:33:41.413

Link: CVE-2025-9152

cve-icon Redhat

No data.