Privilege Escalation Vulnerability in WSO2 Products
CVE-2024-7096

4.2MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Open Banking Iam; Wso2 Open Banking Am; Wso2 Api Manager; Wso2 Enterprise Mobility Manager
Vendor: CVE Published:; 30 May 2025

What is CVE-2024-7096?

A privilege escalation vulnerability exists in multiple WSO2 products, stemming from a business logic flaw in the SOAP admin services. This flaw can be exploited by a malicious actor who is able to access the SOAP admin services and knows the specific custom role and internal attribute used in the deployment. If the deployment includes at least one custom role with non-default permissions, the attacker can create a new user with elevated privileges, hence bypassing intended access control mechanisms. Organizations using WSO2 products should ensure that appropriate security measures are in place to mitigate this risk.

Affected Version(s)

WSO2 API Manager 2.0.0 < 2.0.0.29

WSO2 API Manager 2.1.0 < 2.1.0.39

WSO2 API Manager 2.2.0 < 2.2.0.56

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 30, 2025
Vulnerability Reserved
Jul 25, 2024

Wso2

What is CVE-2024-7096?

Affected Version(s)

References

CVSS V3.1

Timeline