Denial of Service Vulnerability in WSO2 API Gateway Products
CVE-2026-4249
8.6HIGH
Key Information:
- Vendor
Wso2
- Vendor
- CVE Published:
- 6 July 2026
What is CVE-2026-4249?
The throttling event handling mechanism in various WSO2 API Gateway products fails to adequately validate user-supplied JSON payloads. This shortcoming allows unauthenticated remote attackers to inject malicious JSON, resulting in persistent denial of service conditions. Such exploitation can severely disrupt API processing capabilities, leading to significant service outages that require manual intervention to rectify and restore normal operations.
Affected Version(s)
WSO2 API Control Plane 4.5.0 < 4.5.0.55
WSO2 API Control Plane 4.6.0 < 4.6.0.19
WSO2 API Control Plane 4.7.0 < 4.7.0.2
