Authorization Flaw in WSO2 Products Allows Unauthorized User Account Creation
CVE-2024-7097

4.3MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Open Banking Am; Wso2 Open Banking Km; Wso2 Identity Server As Key Manager; Wso2 Api Manager
Vendor: CVE Published:; 30 May 2025

What is CVE-2024-7097?

A serious flaw in the SOAP admin service of multiple WSO2 products allows unauthorized user account creation, even bypassing self-registration settings. This weakness could enable malicious actors to generate numerous low-privileged accounts, compromising system integrity. It poses risks of unauthorized access and potential resource exhaustion from excessive user account creation.

Affected Version(s)

WSO2 API Manager 2.0.0 < 2.0.0.29

WSO2 API Manager 2.1.0 < 2.1.0.39

WSO2 API Manager 2.2.0 < 2.2.0.56

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 30, 2025
Vulnerability Reserved
Jul 25, 2024

Wso2

What is CVE-2024-7097?

Affected Version(s)

References

CVSS V3.1

Timeline