CVE-2025-9973
Received Received - Intake
Authentication Bypass in WSO2 Identity Server via Adaptive Flow

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: WSO2 LLC

Description
Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization can leverage this functionality to execute authentication logic on other organizations and sub-organizations. This flaw allows bypassing authorization boundaries between organizations, leading to unauthorized access to critical operations and user accounts in other organizations. When adaptive authentication is enabled in a multi-organization deployment, a malicious actor with privileges to configure adaptive authentication in one organization could exploit this feature to perform critical operations in other organizations without authorization. This may result in privilege escalation, unauthorized access to resources, and potential account takeover across organizations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-11
AI Q&A
2026-05-11
EPSS Evaluated
N/A
NVD
CVE-2025-9973
EUVD
EUVD-2025-209762
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wso2 identity_server 7.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-9973 is a medium-severity vulnerability in WSO2 Identity Server version 7.1.0 that arises from improper validation of the organization context during adaptive authentication flows.

This flaw allows a malicious actor who has privileges to configure adaptive authentication in one organization to trigger authentication logic on other organizations and sub-organizations, bypassing authorization boundaries.

As a result, unauthorized access to critical operations and user accounts across organizations can occur, potentially leading to privilege escalation and account takeover.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized access to critical operations and user accounts in organizations other than the one the attacker has privileges in.

It enables privilege escalation and potential account takeover across multiple organizations in a multi-organization deployment.

Such unauthorized access can compromise sensitive resources and disrupt normal operations.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the vulnerability in WSO2 Identity Server (CVE-2025-9973), users should apply the provided fix from the official GitHub repository or upgrade to the latest unaffected version.

WSO2 Support Subscription Holders are advised to update to the specified version or higher to address the issue.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthorized access to critical operations and user accounts across organizations by bypassing authorization boundaries. Such unauthorized access and potential account takeover could lead to violations of data protection and privacy requirements mandated by standards like GDPR and HIPAA.

Specifically, the flaw may result in privilege escalation and unauthorized resource access, which can compromise the confidentiality and integrity of personal and sensitive data. This undermines compliance with regulations that require strict access controls and protection of user data.

Therefore, organizations using affected versions of WSO2 Identity Server in multi-organization deployments should promptly apply fixes or upgrade to mitigate risks that could lead to non-compliance with such standards.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart