Security Advisory WSO2-2025-4530/CVE-2025-9973¶
Published: 2026-01-26
Version: 1.0.0
Severity: Medium
CVSS Score: 6.4 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)
CVE IDs: CVE-2025-9973
AFFECTED PRODUCTS¶
- WSO2 Identity Server: 7.1.0
OVERVIEW¶
Potential account takeover vulnerability via adaptive authentication in multi-organization deployments.
DESCRIPTION¶
Due to not validating the organization context when executing adaptive authentication flows, a malicious actor with access to configure adaptive authentication within one organization is able to leverage the functionality to trigger authentication logic on other organizations and sub-organizations. This flaw allows bypassing authorization boundaries between organizations, leading to unauthorized access to critical operations and user accounts in other organizations.
IMPACT¶
When adaptive authentication is enabled in a multi-organization deployment, a malicious actor with privileges to configure adaptive authentication in one organization could exploit this feature to perform critical operations in other organizations without authorization. This may result in privilege escalation, unauthorized access to resources, and potential account takeover across organizations.
SOLUTION¶
Community Users (Open Source)¶
Apply the relevant fixes to your product using the public fix(es) provided below.
If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).
Support Subscription Holders¶
Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | Update Level |
|---|---|---|
| WSO2 Identity Server | 7.1.0 | 26 |