

Security Advisory WSO2-2025-4733/CVE-2025-11969

Published: 2026-01-26

Version: 1.0.0

Severity: Critical

CVSS Score: 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)

CVE IDs: CVE-2025-11969

---

AFFECTED PRODUCTS

• WSO2 API Control Plane: 4.5.0
• WSO2 API Manager: 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0
• WSO2 Identity Server as Key Manager: 5.10.0
• WSO2 Open Banking AM: 2.0.0
• WSO2 Open Banking IAM: 2.0.0
• WSO2 Traffic Manager: 4.5.0
• WSO2 Universal Gateway: 4.5.0

OVERVIEW

Broken access control in System REST APIs.

DESCRIPTION

Due to improper access control in System REST APIs, a user with low privileges can perform unauthorized actions, including executing administrative actions.

IMPACT

Successful exploitation of this vulnerability could allow a malicious actor to perform unauthorized operations on the affected product.

Any APIs created and exposed through the WSO2 API Manager's API Gateway remain unaffected.

SOLUTION

Community Users (Open Source)

Apply the relevant fixes to your product using the public fix(es) provided below.

• https://github.com/wso2/carbon-apimgt/pull/13521

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders

Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product Name	Product Version	Update Level
WSO2 API Control Plane	4.5.0	33
WSO2 API Manager	4.5.0	32
WSO2 API Manager	4.4.0	49
WSO2 API Manager	4.3.0	85
WSO2 API Manager	4.2.0	173
WSO2 API Manager	4.1.0	233
WSO2 API Manager	4.0.0	370
WSO2 API Manager	3.2.1	70
WSO2 API Manager	3.2.0	450
WSO2 API Manager	3.1.0	347
WSO2 Identity Server as Key Manager	5.10.0	367
WSO2 Open Banking AM	2.0.0	396
WSO2 Open Banking IAM	2.0.0	416
WSO2 Traffic Manager	4.5.0	31
WSO2 Universal Gateway	4.5.0	31