Authentication Logic Bypass in WSO2 Identity Server
CVE-2025-9973

6.4MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server; Conditional Authentication User And Roles Related Functions
Vendor: CVE Published:; 11 May 2026

What is CVE-2025-9973?

The WSO2 Identity Server is exposed to a vulnerability that arises from the improper validation of organization context during adaptive authentication flows. This flaw enables a malicious actor with configuration privileges to exploit adaptive authentication features intended for their own organization, potentially executing unauthorized authentication actions across other organizations and sub-organizations. As a result, this vulnerability poses significant risks including privilege escalation, unauthorized resource access, and possible account takeovers, especially in multi-organization environments where adaptive authentication is active.

Affected Version(s)

Conditional Authentication User and Roles Related Functions 1.2.76 < 1.2.76.1

WSO2 Identity Server 7.1.0 < 7.1.0.26

Conditional Authentication User and Roles Related Functions 1.2.82

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Sep 4, 2025

CVE-2025-9973 Data

JSON

Wso2

What is CVE-2025-9973?

Affected Version(s)

References

CVSS V3.1

Timeline