Security Advisory WSO2-2026-5051

Published: June 18, 2026

Updated: June 18, 2026

Version: 1.0

Severity: Not Applicable

CVSS Score: Not Applicable

AFFECTED PRODUCTS

  • WSO2 API Manager : 4.2.0, 4.1.0, 4.0.0, 3.2.0, 3.1.0

OVERVIEW

Essential Security enhancement for API Manager's Script Mediators.

DESCRIPTION

This follow up advisory provides updated configuration guidance for the Script Mediator security vulnerability addressed in WSO2-2023-2938 1 and WSO2-2025-4510 2. Initially, a BLOCK_LIST approach was introduced, requiring deployment owners to manually block identified critical Java classes that are not required for business operations. However, this approach places additional responsibility on deployment owners to identify and manage such classes.

To simplify this process, an ALLOW_LIST approach has now been recommended as default, this ALLOW_LIST permits only the essential Java classes required for mock API testing, reducing configuration overhead while improving security.

IMPACT

By leveraging the vulnerability, a malicious actor may perform an arbitrary remote code execution attack when the product is not hardened as per instructions provided in WSO2-2023-2938 and WSO2-2025-4510. However, implementation of these security enhancements significantly strengthens the overall protection and integrity of the product, mitigating potential vulnerabilities and ensuring a more robust defense against security threats.

SOLUTION

The recommended solution is to apply the provided update to the affected versions of the products and apply below given configuration on <APIM_HOME>/repository/conf/deployment.toml file.

[synapse_properties]
'limit_java_class_access_in_scripts.enable' = true
'limit_java_class_access_in_scripts.list_type' = "ALLOW_LIST"
'limit_java_class_access_in_scripts.class_prefixes' = "org.apache.synapse.mediators.bsf.CommonScriptMessageContext,java.lang.String"

Info

If you have use cases which require usage of additional Java classes in the Script Mediator, you may fine tune Class level access according to your requirement.

CREDITS

WSO2 thanks, crnkovic for responsibly reporting the enhancement and working with us as we addressed it.

REFERENCES

  1. https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2023-2938/ 

  2. https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2025-4510/