Federated Authentication Role Overwrite in WSO2 Products
CVE-2024-1248
4.8MEDIUM
Key Information:
- Vendor
Wso2
- Vendor
- CVE Published:
- 4 July 2026
What is CVE-2024-1248?
The silent Just-In-Time (JIT) provisioning feature in WSO2 Identity Server fails to properly segregate roles when a federated user shares a username with a local user. This oversight can lead to the unintended modification of local user roles during the account creation process by a malicious actor who exploits the JIT provisioning mechanism. The attack requires knowledge of a local username and the presence of a federated identity provider with JIT provisioning enabled. Once successfully exploited, the roles of local users can be overwritten with those assigned to the federated user, posing a risk of unauthorized access.
Affected Version(s)
WSO2 API Manager 3.0.0 < 3.0.0.153
WSO2 API Manager 3.1.0 < 3.1.0.267
WSO2 API Manager 3.2.0 < 3.2.0.351
