CVE-2025-13475
Received Received - Intake

Cross-Tenant Consent Misconfiguration in SaaS Application

Vulnerability report for CVE-2025-13475, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: WSO2 LLC

Description

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing. This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify information without explicit user authorization. This can lead to unauthorized data access and privacy violations. This vulnerability has no impact if the deployment does not support multi-tenancy.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
wso2 api_manager From 3.2.1 (inc)
wso2 api_manager From 3.2.0 (inc)
wso2 identity_server From 5.10.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects multi-tenant deployments of WSO2 API Manager and Identity Server. It occurs because the consent management mechanism does not properly isolate consent scopes between tenants. As a result, when a user grants consent to a SaaS application in one tenant, that consent can mistakenly apply to identically named applications in other tenants.

This leads to unintended cross-tenant consent sharing, allowing SaaS applications in different tenants to access user data without explicit authorization.

Compliance Impact

This vulnerability poses compliance risks because it can cause unauthorized sharing and exposure of user data across tenants, violating data privacy and protection requirements found in regulations such as GDPR and HIPAA.

Failure to properly isolate user consent and prevent unauthorized data access may lead to breaches of regulatory obligations concerning user consent, data confidentiality, and privacy.

Mitigation Strategies

To mitigate CVE-2025-13475, you should update to the latest unaffected versions or apply specific update levels: update level 76 for WSO2 API Manager 3.2.1, update level 457 for WSO2 API Manager 3.2.0, and update level 382 for WSO2 Identity Server 5.10.0.

After applying the updates, you must create two new tables in the identity database using the scripts provided in the /dbscripts/identity directory.

Impact Analysis

The vulnerability can result in unauthorized access to user data across tenants in a multi-tenant environment. SaaS applications in one tenant may gain access to information from other tenants without explicit user consent.

This can lead to privacy violations and unauthorized data exposure, potentially compromising sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13475. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart