CVE-2025-9973

EPSS 0.37%
Veröffentlicht 11.05.2026 12:16:11
Zuletzt bearbeitet 27.05.2026 19:13:13
Quelle ed10eef1-636d-4fbe-9993-6890df
CVE-Watchlists
Login
Unerledigt
Login

Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Organization Account Takeover

Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization can leverage this functionality to execute authentication logic on other organizations and sub-organizations.

This flaw allows bypassing authorization boundaries between organizations, leading to unauthorized access to critical operations and user accounts in other organizations. When adaptive authentication is enabled in a multi-organization deployment, a malicious actor with privileges to configure adaptive authentication in one organization could exploit this feature to perform critical operations in other organizations without authorization. This may result in privilege escalation, unauthorized access to resources, and potential account takeover across organizations.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wso2 ≫ Identity Server Version >= 7.1.0 < 7.1.0.26

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.37%	0.282

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
ed10eef1-636d-4fbe-9993-6890dfa878f8	6.4	0.9	5.5	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4530/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-9973

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-9973

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-9973

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-9973