CVE-2025-8325
Analyzed Analyzed - Analysis Complete
Role-Based Access Bypass in WSO2 API Manager

Publication date: 2026-05-11

Last updated on: 2026-05-27

Assigner: WSO2 LLC

Description
The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-27
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2025-8325
EUVD
EUVD-2025-209759
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
wso2 api_control_plane From 4.5.0 (inc) to 4.5.0.18 (exc)
wso2 api_manager From 3.2.0 (inc) to 3.2.0.435 (exc)
wso2 api_manager From 3.2.1 (inc) to 3.2.1.55 (exc)
wso2 api_manager From 4.0.0 (inc) to 4.0.0.355 (exc)
wso2 api_manager From 4.1.0 (inc) to 4.1.0.219 (exc)
wso2 api_manager From 4.2.0 (inc) to 4.2.0.157 (exc)
wso2 api_manager From 4.3.0 (inc) to 4.3.0.70 (exc)
wso2 api_manager From 4.4.0 (inc) to 4.4.0.33 (exc)
wso2 api_manager From 4.5.0 (inc) to 4.5.0.17 (exc)
wso2 traffic_manager From 4.5.0 (inc) to 4.5.0.17 (exc)
wso2 universal_gateway From 4.5.0 (inc) to 4.5.0.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-281 The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves a failure to enforce role-based access controls in certain Gateway API invocations within multiple WSO2 products. Specifically, users assigned the 'Internal/Everyone' role can invoke these APIs, bypassing the intended permission checks.

Additionally, Internal Service APIs in WSO2 API Manager 3.x versions may be exposed externally due to this issue. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges.

Impact Analysis

The vulnerability can allow a malicious user with a valid account to bypass role-based access controls and perform sensitive operations on the Gateway REST API.

This unauthorized access could lead to unintended behavior or misuse of the system, especially in production environments, potentially compromising the security and integrity of the affected WSO2 products.

Mitigation Strategies

To mitigate this vulnerability, you should apply the fixes provided by WSO2 for the affected products and versions.

Subscription holders should update to the specific fixed update levels recommended by WSO2.

Community users can either apply the public fixes released by WSO2 or migrate to unaffected versions of the software.

Compliance Impact

The vulnerability allows users with minimal roles to bypass role-based access controls and perform sensitive operations on the Gateway REST API. This unauthorized access could lead to exposure or misuse of sensitive data or system functions.

Such unauthorized access and potential data exposure may negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8325. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart