Denial of Service Vulnerability in WSO2 API Gateway Products
CVE-2026-4249

8.6HIGH

What is CVE-2026-4249?

The throttling event handling mechanism in various WSO2 API Gateway products fails to adequately validate user-supplied JSON payloads. This shortcoming allows unauthenticated remote attackers to inject malicious JSON, resulting in persistent denial of service conditions. Such exploitation can severely disrupt API processing capabilities, leading to significant service outages that require manual intervention to rectify and restore normal operations.

Affected Version(s)

WSO2 API Control Plane 4.5.0 < 4.5.0.55

WSO2 API Control Plane 4.6.0 < 4.6.0.19

WSO2 API Control Plane 4.7.0 < 4.7.0.2

References

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.