WSO2 API Access Control Vulnerability (CVE-2025-9804) Security Advisory

Key Information Vulnerability Identifier CVE ID: CVE-2025-9804 WSO2 Security Advisory ID: WS02-2025-4503 Affected Products WSO2 API Manager: 4.0.0, 3.2.0, 3.1.0, 3.0.0 WSO2 Analytics Dashboard: 4.0.0 WSO2 Identity Server: 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.0, 5.3.0, 5.2.0, 5.1.0, 5.0.0 WSO2 Data Analytics Server: 3.2.0, 3.1.0 WSO2 Enterprise Integrator: 6.6.0, 6.5.0, 6.4.0, 6.3.0, 6.2.0, 6.1.1, 6.1.0, 6.0.0 WSO2 Integration Studio: 8.0.0, 7.2.0 WSO2 Stream Processor: 4.0.0 WSO2 Business Rules: 2.0.0 WSO2 Developer Studio: 4.0.0 WSO2 DevOps Gateway: 4.0.0 Vulnerability Description Overview: Unauthorized actors can gain control over WSO2 API Manager and system REST APIs, leading to sensitive information disclosure. Detailed Description: Due to a vulnerability in API access control, malicious actors can exploit WSO2 API Manager APIs to retrieve sensitive information. Impact Successful exploitation of this vulnerability may allow malicious actors to perform unauthorized operations or access sensitive data within the affected products. Remediation Community Users (Open Source Editions): Apply the relevant fixes as described in the public GitHub repository. Supported Subscription Customers: Upgrade to the specified patch level or apply the provided patch to resolve the issue. CVSS Score CVSS v3.1 Base Score: 7.5 CVSS v3.1 Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Goal Reached Thanks to every supporter — we hit 100%!

WSO2 API Access Control Vulnerability (CVE-2025-9804) Security Advisory