Security Advisory WSO2-2025-4597/CVE-2025-14779¶
Published: 2026-05-03
Version: 1.0.0
Severity: Low
CVSS Score: 3.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L)
CVE IDs: CVE-2025-14779
AFFECTED PRODUCTS¶
- WSO2 Identity Server: 7.1.0, 6.1.0, 6.0.0
OVERVIEW¶
Improper access isolation in Secret Type Management API.
DESCRIPTION¶
Due to improper implementation of the on-delete cascade in the Secret Type Management REST API, deleting a secret type in one organization results in the removal of all secrets created with that type across all organizations, disregarding organizational boundaries. This behavior may lead to the deployment downtime until the deleted secrets are reconfigured.
IMPACT¶
Exploitation of this vulnerability could result in unintended deletion of secrets across all organizations, causing configuration failures, service interruptions, and potentially a denial-of-service condition. However, exploiting this vulnerability requires delete permissions for the Secret Type Management REST API, which are granted by default only to administrators in WSO2 products.
SOLUTION¶
Community Users (Open Source)¶
Apply the relevant fixes to your product using the public fix(es) provided below.
If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).
Support Subscription Holders¶
Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | Update Level |
|---|---|---|
| WSO2 Identity Server | 7.1.0 | 46 |
| WSO2 Identity Server | 6.1.0 | 262 |
| WSO2 Identity Server | 6.0.0 | 261 |
After applying the provided update or public PR to the affected product versions, it is necessary to add the following configuration to the deployment.toml file to enable the Secret Type Management REST API fix, as it is disabled by default after the update.
[secret_type_endpoint]
enable = true