Security Advisory WSO2-2025-4672/CVE-2025-12317¶
Published: 2026-05-03
Version: 1.0.0
Severity: Medium
CVSS Score: 5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVE IDs: CVE-2025-12317
AFFECTED PRODUCTS¶
- WSO2 Enterprise Integrator: 6.6.0
- WSO2 Identity Server: 5.11.0
OVERVIEW¶
Improper token revocation via SOAP services.
DESCRIPTION¶
When internal roles are removed from a user, any previously issued tokens remain valid. As a result, the user can retain their previous privileges until the token naturally expires.
IMPACT¶
This vulnerability could allow users to retain access privileges that should have been revoked. This enables unauthorized actions or access to restricted resources until the previously issued tokens expire.
SOLUTION¶
Community Users (Open Source)¶
Migrate to the latest unaffected version of the respective WSO2 product(s).
Support Subscription Holders¶
Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | Update Level |
|---|---|---|
| WSO2 Enterprise Integrator | 6.6.0 | 228 |
| WSO2 Identity Server | 5.11.0 | 423 |
Additionally, for WSO2 Identity Server 5.11.0, it is recommended to apply the specified configuration to the deployment.toml file.
[post_update_internal_role_list_of_user_listener]
enable = true