On the Publisher portal, uploaded API documentation is available for an unauthenticated user.
- WSO2 API Manager 2.6.0
The uploaded documents for an API can be accessed without authentication only when the API visibility is set to public. If the visibility is set to some user role, the document will not be available without authentication and authorization. Furthermore, if we change the API visibility to restricted roles after adding the document, those roles will get applied to the existing uploaded documents and they will not be available for an unauthenticated user. This is the expected behavior of WSO2 API Manager. Therefore, if the API visibility is correctly set using user roles, this is not a vulnerability.