An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations.
The DCR endpoint in the keymanager-operations component does not require authentication or authorization (CWE-306: Missing Authentication for Critical Function). An attacker can directly send requests to this endpoint over the network without providing any authentication credentials. As a result, it is possible to generate access tokens with elevated privileges, which can subsequently be used to perform unauthorized administrative operations in the system.
An attacker can obtain access tokens with administrative privileges and perform arbitrary unauthorized operations in the system, leading to complete breach of confidentiality, integrity, and availability of the API Manager platform.
Apply patches available from the vendor according to the references — detailed information about patched versions is contained in the WSO2 security advisory available at: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4483/
WSO2 API Manager and WSO2 API Control Plane — specific versions indicated in vendor references (WSO2-2025-4483)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWso2 Api Control Plane
APPWso24.5.0Wso2 Api Manager
APPWso23.2.03.2.14.0.04.1.04.2.04.3.04.4.04.5.0
Related vulnerabilities
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must u...
WSO2 API Manager – RCE przez upload pliku z uprawnieniami administratora
Brak wymuszania uwierzytelniania mTLS w produktach WSO2 — nieautoryzowany dostęp administracyjny
Pominięcie kontroli dostępu w produktach WSO2 – nieautoryzowany dostęp administracyjny
Nieprawidłowa kontrola dostępu w wewnętrznych API WSO2 (SOAP/REST)