CVE-2026-4249
Received Received - Intake

Throttling Event Handling DoS in WSO2 Products

Vulnerability report for CVE-2026-4249, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: WSO2 LLC

Description

The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service condition. Successful exploitation of this vulnerability can disrupt the API Gateway, preventing legitimate API traffic from being processed and impacting complete service availability. The denial of service is persistent, requiring manual intervention to restore normal operations.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
wso2 api_control_plane *
wso2 api_manager *
wso2 traffic_manager *
wso2 universal_gateway *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in multiple WSO2 products where the throttling event handling mechanism accepts user-supplied JSON payloads without properly validating their structure and content.

An unauthenticated remote attacker can exploit this flaw by injecting malicious JSON data, which can cause a persistent denial of service (DoS) condition.

This results in disruption of the API Gateway, preventing legitimate API traffic from being processed and requiring manual intervention to restore normal operations.

Impact Analysis

Exploitation of this vulnerability can lead to a persistent denial of service condition that disrupts the API Gateway functionality.

This disruption prevents legitimate API traffic from being processed, which can cause complete service unavailability.

The denial of service is persistent and requires manual intervention to restore normal operations, potentially causing significant downtime and operational impact.

Mitigation Strategies

To mitigate this vulnerability, you should apply the patches or update to the fixed versions provided by WSO2 for the affected products.

The fix includes introducing an authentication check for the throttling endpoint, which may affect existing unauthenticated flows, so review and adjust your configurations accordingly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4249. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart