

Security Advisory WSO2-2025-4525/CVE-2025-11229

Published: 2026-01-26

Version: 1.0.0

Severity: High

CVSS Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVE IDs: CVE-2025-11229

---

AFFECTED PRODUCTS

• WSO2 Identity Server: 7.1.0, 7.0.0

OVERVIEW

Potential Privilege Escalation via Client Credentials grant type.

DESCRIPTION

This vulnerability is only applicable to deployments where the authorize_all_scopes configuration is enabled in deployment.toml. By default, this configuration is disabled in WSO2 products. When the said configuration is enabled, applications can obtain all API scopes, including sensitive internal and console scopes, through the client credentials grant type without explicit authorization. This misconfiguration bypasses intended access controls, potentially allowing unprivileged clients to perform administrative actions or access confidential data.

IMPACT

Exploitation of this vulnerability may lead to privilege escalation, unauthorized administrative actions, exposure of sensitive organizational data, and potential full account takeover, in deployments where the authorize_all_scopes config is enabled deviating from the default configuration.

SOLUTION

You do not need to take any additional action if the following configuration is not present in the <Product_Home>/repository/conf/deployment.toml file, or if it is explicitly set to false as shown below, since this disables the vulnerable behavior:

[oauth]
authorize_all_scopes = false

However, if this value is set to true in the deployment.toml file, the system becomes vulnerable. Therefore, it is necessary to apply the fix using one of the methods mentioned below.

Community Users (Open Source)

Apply the relevant fixes to your product using the public fix(es) provided below.

• https://github.com/wso2/carbon-identity-framework/pull/7252

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders

Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product Name	Product Version	Update Level
WSO2 Identity Server	7.1.0	32
WSO2 Identity Server	7.0.0	125

Once you apply the fix using one of the methods mentioned above, add the following configuration to the <Product_Home>/repository/conf/deployment.toml file to prevent the issue management API–related scopes from being granted through the Client Credentials grant type.

All business-related scopes will continue to be issued as expected, regardless of the defined application scope.

[oauth]
authorize_all_scopes = true
authorize_internal_scopes = false