Cross-Tenant Consent Sharing Vulnerability in WSO2 SaaS Applications
CVE-2025-13475
Key Information:
- Vendor
Wso2
- Vendor
- CVE Published:
- 4 July 2026
What is CVE-2025-13475?
In multi-tenancy environments, a flaw in the application consent management mechanism can cause inappropriate sharing of consent scopes between tenants. If a user grants consent for a SaaS application in one tenant, that consent may inadvertently extend to instances of the same application in other tenants. This misconfiguration poses significant risks as it may lead to unauthorized access to user data across different tenants, allowing one SaaS application to access and potentially modify information without the user's explicit consent. This issue is particularly concerning for organizations that rely on multi-tenancy for their SaaS solutions and emphasizes the need for stringent data isolation measures.
Affected Version(s)
WSO2 API Manager 3.2.0 < 3.2.0.457
WSO2 API Manager 3.2.1 < 3.2.1.76
WSO2 Identity Server 5.10.0 < 5.10.0.382
