QSearchQSearch

CVE-2025-9973

6.4 MEDIUM

Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive aut...

Published: 2026-05-11 · Last updated: 2026-05-27

Severity and scoring

CVSS
6.4 MEDIUM
Vector
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
CWE
CWE-284, CWE-863

Affected products

VendorProduct
wso2identity_server

Description

Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization can leverage this functionality to execute authentication logic on other organizations and sub-organizations. This flaw allows bypassing authorization boundaries between organizations, leading to unauthorized access to critical operations and user accounts in other organizations. When adaptive authentication is enabled in a multi-organization deployment, a malicious actor with privileges to configure adaptive authentication in one organization could exploit this feature to perform critical operations in other organizations without authorization. This may result in privilege escalation, unauthorized access to resources, and potential account takeover across organizations.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2025-10470 The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, l... (8.6 HIGH)
  • CVE-2025-8325 The software fails to enforce role-based access controls for certain Gateway API invocations (6.3 MEDIUM)
  • CVE-2025-8154 In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitizat... (5.3 MEDIUM)
  • CVE-2025-10908 Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic ... (7.3 HIGH)
  • CVE-2024-0391 The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the exis... (5.3 MEDIUM)

Same CWE

  • CVE-2026-49219 ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
  • CVE-2026-46695 Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to ru... (10.0 CRITICAL)
  • CVE-2026-53738 Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler (8.1 HIGH)
  • CVE-2026-50564 Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (9.9 CRITICAL)
  • CVE-2026-50563 Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (9.9 CRITICAL)