8.8
CVE-2025-8325
- EPSS 0.17%
- Veröffentlicht 11.05.2026 10:16:13
- Zuletzt bearbeitet 27.05.2026 19:41:03
- Quelle ed10eef1-636d-4fbe-9993-6890df
- CVE-Watchlists
- Unerledigt
Improper Access Control via Gateway API in Multiple WSO2 Products Allows Unauthorized Operations
The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wso2 ≫ Api Control Plane Version >= 4.5.0 < 4.5.0.18
Wso2 ≫ Api Manager Version >= 3.2.0 < 3.2.0.435
Wso2 ≫ Api Manager Version >= 3.2.1 < 3.2.1.55
Wso2 ≫ Api Manager Version >= 4.0.0 < 4.0.0.355
Wso2 ≫ Api Manager Version >= 4.1.0 < 4.1.0.219
Wso2 ≫ Api Manager Version >= 4.2.0 < 4.2.0.157
Wso2 ≫ Api Manager Version >= 4.3.0 < 4.3.0.70
Wso2 ≫ Api Manager Version >= 4.4.0 < 4.4.0.33
Wso2 ≫ Api Manager Version >= 4.5.0 < 4.5.0.17
Wso2 ≫ Traffic Manager Version >= 4.5.0 < 4.5.0.17
Wso2 ≫ Universal Gateway Version >= 4.5.0 < 4.5.0.17
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.17% | 0.07 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| ed10eef1-636d-4fbe-9993-6890dfa878f8 | 6.3 | 2.8 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
|
CWE-281 Improper Preservation of Permissions
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4401/