Vulnerability Database

311,448

Total vulnerabilities in the database

CVE-2025-9804

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.

This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

  • Published: Oct 16, 2025
  • Updated: Nov 17, 2025
  • CVE: CVE-2025-9804
  • Severity: Critical
  • Exploit:

CVSS v3:

  • Severity: Critical
  • Score: 9.6
  • AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWEs:

OWASP TOP 10:

Software From Fixed in
wso2 / api_control_plane 4.5.0 4.5.0.x
wso2 / api_manager 2.0.0 2.0.0.x
wso2 / api_manager 2.1.0 2.1.0.x
wso2 / api_manager 2.2.0 2.2.0.x
wso2 / api_manager 2.5.0 2.5.0.x
wso2 / api_manager 2.6.0 2.6.0.x
wso2 / api_manager 3.0.0 3.0.0.x
wso2 / api_manager 3.1.0 3.1.0.x
wso2 / api_manager 3.2.0 3.2.0.x
wso2 / api_manager 3.2.1 3.2.1.x
wso2 / api_manager 4.0.0 4.0.0.x
wso2 / api_manager 4.1.0 4.1.0.x
wso2 / api_manager 4.2.0 4.2.0.x
wso2 / api_manager 4.3.0 4.3.0.x
wso2 / api_manager 4.4.0 4.4.0.x
wso2 / api_manager 4.5.0 4.5.0.x
wso2 / api_manager_analytics 2.0.0 2.0.0.x
wso2 / api_manager_analytics 2.1.0 2.1.0.x
wso2 / api_manager_analytics 2.2.0 2.2.0.x
wso2 / api_manager_analytics 2.5.0 2.5.0.x
wso2 / data_analytics_server 3.1.0 3.1.0.x
wso2 / data_analytics_server 3.2.0 3.2.0.x
wso2 / enterprise_integrator 6.2.0 6.2.0.x
wso2 / enterprise_integrator 6.3.0 6.3.0.x
wso2 / enterprise_mobility_manager 2.2.0 2.2.0.x
wso2 / enterprise_service_bus 5.0.0 5.0.0.x
wso2 / identity_server 5.2.0 5.2.0.x
wso2 / identity_server 5.3.0 5.3.0.x
wso2 / identity_server 5.4.0 5.4.0.x
wso2 / identity_server 5.4.1 5.4.1.x
wso2 / identity_server 5.5.0 5.5.0.x
wso2 / identity_server 5.6.0 5.6.0.x
wso2 / identity_server 5.7.0 5.7.0.x
wso2 / identity_server 5.8.0 5.8.0.x
wso2 / identity_server 5.9.0 5.9.0.x
wso2 / identity_server 5.10.0 5.10.0.x
wso2 / identity_server 5.11.0 5.11.0.x
wso2 / identity_server 6.0.0 6.0.0.x
wso2 / identity_server 6.1.0 6.1.0.x
wso2 / identity_server 7.0.0 7.0.0.x
wso2 / identity_server 7.1.0 7.1.0.x
wso2 / identity_server_analytics 5.2.0 5.2.0.x
wso2 / identity_server_analytics 5.3.0 5.3.0.x
wso2 / identity_server_analytics 5.5.0 5.5.0.x
wso2 / identity_server_analytics 5.6.0 5.6.0.x
wso2 / identity_server_as_key_manager 5.3.0 5.3.0.x
wso2 / identity_server_as_key_manager 5.5.0 5.5.0.x
wso2 / identity_server_as_key_manager 5.6.0 5.6.0.x
wso2 / identity_server_as_key_manager 5.7.0 5.7.0.x
wso2 / identity_server_as_key_manager 5.9.0 5.9.0.x
wso2 / identity_server_as_key_manager 5.10.0 5.10.0.x
wso2 / open_banking_am 1.4.0 1.4.0.x
wso2 / open_banking_am 1.5.0 1.5.0.x
wso2 / open_banking_am 2.0.0 2.0.0.x
wso2 / open_banking_iam 2.0.0 2.0.0.x
wso2 / open_banking_km 1.4.0 1.4.0.x
wso2 / open_banking_km 1.5.0 1.5.0.x
wso2 / traffic_manager 4.5.0 4.5.0.x
wso2 / universal_gateway 4.5.0 4.5.0.x