Home
CRITICAL: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDefault status
unaffected
Any version before 3.2.0
unknown
3.2.0 (custom) before 3.2.0.437
affected
3.2.1 (custom) before 3.2.1.57
affected
4.0.0 (custom) before 4.0.0.357
affected
4.1.0 (custom) before 4.1.0.221
affected
4.2.0 (custom) before 4.2.0.159
affected
4.3.0 (custom) before 4.3.0.72
affected
4.4.0 (custom) before 4.4.0.35
affected
4.5.0 (custom) before 4.5.0.19
affected
Default status
unaffected
4.5.0 (custom) before 4.5.0.20
affected
Description
An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations.
Product status
Any version before 3.2.0
3.2.0 (custom) before 3.2.0.437
3.2.1 (custom) before 3.2.1.57
4.0.0 (custom) before 4.0.0.357
4.1.0 (custom) before 4.1.0.221
4.2.0 (custom) before 4.2.0.159
4.3.0 (custom) before 4.3.0.72
4.4.0 (custom) before 4.4.0.35
4.5.0 (custom) before 4.5.0.19
4.5.0 (custom) before 4.5.0.20
Credits
crnković
References
security.docs.wso2.com/...ty-advisories/2025/WSO2-2025-4483/
