Vulnerability in WSO2 API Manager's Message Flow Component Allows Destination Manipulation
CVE-2026-2053

8.3HIGH

Key Information:

Vendor: Wso2
Status: Wso2 Api Manager
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-2053?

The WSO2 API Manager is susceptible to an input validation issue within its message flow component when handling WS-Addressing headers. The inadequacy in validating user-controlled input can facilitate an attacker in redirecting server-initiated requests to unauthorized locations. This may grant an attacker access to internal resources that would otherwise remain protected from external threats, potentially compromising sensitive data and application integrity.

Affected Version(s)

WSO2 API Manager 3.1.0 < 3.1.0.360

WSO2 API Manager 3.2.0 < 3.2.0.465

WSO2 API Manager 3.2.1 < 3.2.1.84

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Feb 6, 2026

CVE-2026-2053 Data

JSON

Wso2

What is CVE-2026-2053?

Affected Version(s)

References

CVSS V3.1

Timeline