

CVE-2025-47889

WSO2 Products impacted: no

Customers actions required: no

---

REPORTED VULNERABILITY

Authentication claims are accepted without validation by the WSO2 Oauth security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.

REPORTED PRODUCTS

• N/A

WSO2 JUSTIFICATION

The reported vulnerability relates specifically to the wso2id-oauth-plugin, which is a third-party plugin developed independently by an external party. WSO2 has no involvement in the development, maintenance, or support of this plugin.

Importantly, WSO2 does not include or rely on this plugin in any of its products, including the WSO2 Identity Server or any associated WSO2 extensions. As such, the reported issue has no impact or relevance to any WSO2-distributed software.

Additionally, it should be noted that the wso2id-oauth-plugin has already been suspended by the Jenkins plugin maintainers due to security concerns³.

REFERENCES

---

1. https://nvd.nist.gov/vuln/detail/CVE-2025-47889 ↩

2. https://github.com/advisories/GHSA-p89h-p4ph-4vj6 ↩

3. https://plugins.jenkins.io/wso2id-oauth/ ↩