CVE-2025-8325
Role-Based Access Bypass in WSO2 API Manager
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: WSO2 LLC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wso2 | api_manager | 3.x |
| wso2 | api_control_plane | * |
| wso2 | traffic_manager | * |
| wso2 | universal_gateway | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-281 | The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a failure to enforce role-based access controls in certain Gateway API invocations within multiple WSO2 products. Specifically, users assigned the 'Internal/Everyone' role can invoke these APIs, bypassing the intended permission checks.
Additionally, Internal Service APIs in WSO2 API Manager 3.x versions may be exposed externally due to this issue. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges.
How can this vulnerability impact me? :
The vulnerability can allow a malicious user with a valid account to bypass role-based access controls and perform sensitive operations on the Gateway REST API.
This unauthorized access could lead to unintended behavior or misuse of the system, especially in production environments, potentially compromising the security and integrity of the affected WSO2 products.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should apply the fixes provided by WSO2 for the affected products and versions.
Subscription holders should update to the specific fixed update levels recommended by WSO2.
Community users can either apply the public fixes released by WSO2 or migrate to unaffected versions of the software.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows users with minimal roles to bypass role-based access controls and perform sensitive operations on the Gateway REST API. This unauthorized access could lead to exposure or misuse of sensitive data or system functions.
Such unauthorized access and potential data exposure may negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.