Access Control Bypass in WSO2 Products
CVE-2025-10611

9.8CRITICAL

Key Information:

Vendor: Wso2
Status: Wso2 Api Manager; Wso2 Api Control Plane; Wso2 Open Banking Am; Wso2 Open Banking Iam
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-10611?

A critical access control vulnerability has been identified in various WSO2 products, where insufficient access control mechanisms allow REST APIs to be invoked without appropriate authentication and authorization checks. This flaw permits malicious actors to perform unauthorized administrative actions, potentially leading to severe compromises of system integrity and data security. Organizations utilizing these products should ensure they are updated to the latest secure versions and review their security configurations.

Affected Version(s)

org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.1 < 1.1.1.7

org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.16 < 1.1.16.6

org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service 1.1.18 < 1.1.18.7

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Sep 17, 2025

JSON

Wso2

What is CVE-2025-10611?

Affected Version(s)

References

CVSS V3.1

Timeline