CVE-2025-8325
6.3 MEDIUMThe software fails to enforce role-based access controls for certain Gateway API invocations
Published: 2026-05-11 · Last updated: 2026-05-27
Severity and scoring
- CVSS
- 6.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- CWE
- CWE-281
Affected products
| Vendor | Product |
|---|---|
| wso2 | api_control_plane, api_manager, traffic_manager |
Description
The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2025-9973 — Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive aut... (6.4 MEDIUM)
- CVE-2025-10470 — The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, l... (8.6 HIGH)
- CVE-2025-8154 — In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitizat... (5.3 MEDIUM)
- CVE-2025-10908 — Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic ... (7.3 HIGH)
- CVE-2024-0391 — The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the exis... (5.3 MEDIUM)
Same CWE
- CVE-2024-47270 — Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 an... (2.7 LOW)
- CVE-2026-44832 — Snipe-IT is an IT asset/license management system (8.8 HIGH)
- CVE-2026-24194 — NVIDIA Display Driver for Linux contains a vulnerability in a kernel mode layer handler, where a user could cause improper permission han... (7.8 HIGH)
- CVE-2026-34744 — Mantis Bug Tracker (MantisBT) is an open source issue tracker
- CVE-2026-34600 — Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks (5.7 MEDIUM)