Cross-Tenant Consent Sharing Vulnerability in WSO2 SaaS Applications
CVE-2025-13475

3.5LOW

Key Information:

Vendor

Wso2

Vendor
CVE Published:
4 July 2026

What is CVE-2025-13475?

In multi-tenancy environments, a flaw in the application consent management mechanism can cause inappropriate sharing of consent scopes between tenants. If a user grants consent for a SaaS application in one tenant, that consent may inadvertently extend to instances of the same application in other tenants. This misconfiguration poses significant risks as it may lead to unauthorized access to user data across different tenants, allowing one SaaS application to access and potentially modify information without the user's explicit consent. This issue is particularly concerning for organizations that rely on multi-tenancy for their SaaS solutions and emphasizes the need for stringent data isolation measures.

Affected Version(s)

WSO2 API Manager 3.2.0 < 3.2.0.457

WSO2 API Manager 3.2.1 < 3.2.1.76

WSO2 Identity Server 5.10.0 < 5.10.0.382

References

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.