

Security Advisory WSO2-2025-4585/CVE-2025-10611

Published: 2025-10-15

Version: 1.0.0

Severity: Critical

CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE IDs: CVE-2025-10611

---

AFFECTED PRODUCTS

• WSO2 API Control Plane: 4.5.0
• WSO2 API Manager: 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0, 3.0.0, 2.6.0, 2.5.0, 2.2.0, 2.1.0
• WSO2 Identity Server as Key Manager: 5.10.0, 5.9.0, 5.7.0, 5.6.0, 5.5.0, 5.3.0
• WSO2 Identity Server: 7.1.0, 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.3.0
• WSO2 Open Banking AM: 2.0.0, 1.5.0, 1.4.0
• WSO2 Open Banking IAM: 2.0.0
• WSO2 Open Banking KM: 1.5.0, 1.4.0
• WSO2 Traffic Manager: 4.5.0
• WSO2 Universal Gateway: 4.5.0

OVERVIEW

Potential broken access control in System REST APIs.

DESCRIPTION

Due to an insufficient access control implementation, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation.

IMPACT

Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.

SOLUTION

Community Users (Open Source)

Apply the relevant fixes to your product using the public fix(es) provided below.

• https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/344/
• https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/345/
• https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/346/
• https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/347/

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders

To apply the fix, update your product to the specified or a higher update level. Additionally, consult the customer announcement on the WSO2 Support Portal for configuration instructions.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product Name	Product Version	Update Level
WSO2 API Control Plane	4.5.0	29
WSO2 API Manager	4.5.0	28
WSO2 API Manager	4.4.0	45
WSO2 API Manager	4.3.0	81
WSO2 API Manager	4.2.0	169
WSO2 API Manager	4.1.0	228
WSO2 API Manager	4.0.0	366
WSO2 API Manager	3.2.1	66
WSO2 API Manager	3.2.0	446
WSO2 API Manager	3.1.0	345
WSO2 API Manager	3.0.0	178
WSO2 API Manager	2.6.0	148
WSO2 API Manager	2.5.0	87
WSO2 API Manager	2.2.0	61
WSO2 API Manager	2.1.0	42
WSO2 Identity Server	7.1.0	31
WSO2 Identity Server	7.0.0	124
WSO2 Identity Server	6.1.0	248
WSO2 Identity Server	6.0.0	248
WSO2 Identity Server	5.11.0	419
WSO2 Identity Server	5.10.0	375
WSO2 Identity Server	5.9.0	171
WSO2 Identity Server	5.8.0	112
WSO2 Identity Server	5.7.0	128
WSO2 Identity Server	5.6.0	62
WSO2 Identity Server	5.5.0	54
WSO2 Identity Server	5.3.0	39
WSO2 Identity Server as Key Manager	5.10.0	365
WSO2 Identity Server as Key Manager	5.9.0	178
WSO2 Identity Server as Key Manager	5.7.0	127
WSO2 Identity Server as Key Manager	5.6.0	77
WSO2 Identity Server as Key Manager	5.5.0	55
WSO2 Identity Server as Key Manager	5.3.0	44
WSO2 Open Banking AM	2.0.0	394
WSO2 Open Banking AM	1.5.0	142
WSO2 Open Banking AM	1.4.0	141
WSO2 Open Banking IAM	2.0.0	414
WSO2 Open Banking KM	1.5.0	125
WSO2 Open Banking KM	1.4.0	135
WSO2 Traffic Manager	4.5.0	27
WSO2 Universal Gateway	4.5.0	27

Configuration Changes (mandatory)

For following product versions, it is essential to not only apply the updates but also follow the instructions provided below to ensure complete remediation of the vulnerability in your deployment:

• WSO2 Identity Server 5.8.0, 5.7.0, 5.6.0, 5.5.0
• WSO2 Identity Server KM 5.5.0, 5.6.0, 5.7.0
• WSO2 Open Banking KM 1.4.0, 1.5.0
• WSO2 Open Banking IAM 2.0.0

Remediation instructions:

• WSO2-2025-4585 - Instructions for WSO2 Identity Server / WSO2 Identity Server as Key Manager / WSO2 Open Banking KM / WSO2 Open Banking IAM