CVE-2026-2053
Received Received - Intake
WS-Addressing Header Manipulation in WSO2 API Manager

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: WSO2 LLC

Description
The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests. Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-2053
EUVD
EUVD-2026-39638
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
wso2 api_manager From 4.2.0 (inc)
wso2 api_manager From 4.0.0 (inc)
wso2 api_manager From 3.2.1 (inc)
wso2 api_manager From 3.2.0 (inc)
wso2 api_manager From 3.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2053 is a high-severity vulnerability in the WSO2 API Manager affecting multiple versions. It is an unauthenticated Server Side Request Forgery (SSRF) vulnerability related to the processing of WS-Addressing headers.

The message flow component does not sufficiently validate or restrict user-controlled input within these WS-Addressing headers. This allows an attacker to send crafted headers that manipulate server-initiated outbound requests.

As a result, an attacker can control the destination of these requests, potentially gaining unauthorized access to internal network resources or services that are normally inaccessible from external networks.

Impact Analysis

This vulnerability allows an unauthenticated attacker to manipulate server-initiated requests to arbitrary destinations within your internal network.

The impact includes unauthorized access to internal resources or services that should be protected from external access, potentially leading to data exposure, service disruption, or further exploitation within your network.

Because the attacker does not need authentication, the risk is elevated, and the vulnerability has a high CVSS score of 8.3, indicating significant potential impact.

Mitigation Strategies

To mitigate CVE-2026-2053, users should update to the latest unaffected versions of WSO2 API Manager, specifically versions beyond 4.2.0, 4.0.0, 3.2.1, 3.2.0, and 3.1.0 which are affected.

If you have custom main.xml files, you must add a property to prevent early processing of WS-Addressing headers to avoid exploitation.

For subscription holders, WSO2 Updates and patches are available to address this vulnerability.

Compliance Impact

The vulnerability allows an unauthenticated attacker to manipulate server-initiated requests to access internal network resources that are normally inaccessible externally. This unauthorized access could potentially lead to exposure of sensitive data or systems.

Such unauthorized access and potential data exposure may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access.

However, the provided information does not explicitly describe the direct effects on compliance or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2053. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart