Security Advisory WSO2-2025-4438/CVE-2025-10149

Published: 2026-05-03

Version: 1.0.0

Severity: High

CVSS Score: 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N)

CVE IDs: CVE-2025-10149

AFFECTED PRODUCTS

  • WSO2 Identity Server as Key Manager: 5.10.0
  • WSO2 Identity Server: 7.1.0, 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0
  • WSO2 Open Banking IAM: 2.0.0

OVERVIEW

Federated users could perform arbitrary operations through the SCIM endpoint.

DESCRIPTION

A malicious actor authenticated as a federated user may be able to perform arbitrary operations against local user store accounts via the SCIM 2.0 or SCIM 1.1 endpoints when local and federated users share the same username.

IMPACT

Due to improper validation in the federated user authorization flow, a malicious actor could perform arbitrary operations via the SCIM 2.0 or SCIM 1.1 endpoints when local and federated users share the same username, potentially resulting in user account takeover. However, deployments that do not support user self-registration should be considered the identified vulnerability as medium severity.

SOLUTION

Community Users (Open Source)

Apply the relevant fixes to your product using the public fix(es) provided below.

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders

Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product Name Product Version Update Level
WSO2 Identity Server 7.1.0 34
WSO2 Identity Server 7.0.0 127
WSO2 Identity Server 6.1.0 251
WSO2 Identity Server 6.0.0 251
WSO2 Identity Server 5.11.0 415
WSO2 Identity Server 5.10.0 379
WSO2 Identity Server as Key Manager 5.10.0 370
WSO2 Open Banking IAM 2.0.0 419