CVE-2025-9973
Analyzed Analyzed - Analysis Complete
Authentication Bypass in WSO2 Identity Server via Adaptive Flow

Publication date: 2026-05-11

Last updated on: 2026-05-27

Assigner: WSO2 LLC

Description
Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization can leverage this functionality to execute authentication logic on other organizations and sub-organizations. This flaw allows bypassing authorization boundaries between organizations, leading to unauthorized access to critical operations and user accounts in other organizations. When adaptive authentication is enabled in a multi-organization deployment, a malicious actor with privileges to configure adaptive authentication in one organization could exploit this feature to perform critical operations in other organizations without authorization. This may result in privilege escalation, unauthorized access to resources, and potential account takeover across organizations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-27
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2025-9973
EUVD
EUVD-2025-209762
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wso2 identity_server From 7.1.0 (inc) to 7.1.0.26 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9973 is a medium-severity vulnerability in WSO2 Identity Server version 7.1.0 that arises from improper validation of the organization context during adaptive authentication flows.

This flaw allows a malicious actor who has privileges to configure adaptive authentication in one organization to trigger authentication logic on other organizations and sub-organizations, bypassing authorization boundaries.

As a result, unauthorized access to critical operations and user accounts across organizations can occur, potentially leading to privilege escalation and account takeover.

Impact Analysis

This vulnerability can lead to unauthorized access to critical operations and user accounts in organizations other than the one the attacker has privileges in.

It enables privilege escalation and potential account takeover across multiple organizations in a multi-organization deployment.

Such unauthorized access can compromise sensitive resources and disrupt normal operations.

Mitigation Strategies

To mitigate the vulnerability in WSO2 Identity Server (CVE-2025-9973), users should apply the provided fix from the official GitHub repository or upgrade to the latest unaffected version.

WSO2 Support Subscription Holders are advised to update to the specified version or higher to address the issue.

Compliance Impact

This vulnerability allows unauthorized access to critical operations and user accounts across organizations by bypassing authorization boundaries. Such unauthorized access and potential account takeover could lead to violations of data protection and privacy requirements mandated by standards like GDPR and HIPAA.

Specifically, the flaw may result in privilege escalation and unauthorized resource access, which can compromise the confidentiality and integrity of personal and sensitive data. This undermines compliance with regulations that require strict access controls and protection of user data.

Therefore, organizations using affected versions of WSO2 Identity Server in multi-organization deployments should promptly apply fixes or upgrade to mitigate risks that could lead to non-compliance with such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9973. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart