

Security Advisory WSO2-2026-5212/CVE-2026-4052

Published: June 18, 2026

Updated: June 18, 2026

Version: 1.0

Severity: Critical

CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE IDs:

---

AFFECTED PRODUCTS

• WSO2 API Control Plane: 4.6.0, 4.5.0
• WSO2 API Manager: 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0

OVERVIEW

Self-Registered User Gaining Admin Privileges (APIM 4.x/IS as Resident Key Manager)

DESCRIPTION

This issue only impacts deployments where WSO2 Identity Server is configured as a Resident Key Manager with database sharing. In such environments, a self-registered user may gain access to the System REST APIs of WSO2 API Manager by obtaining a token from the WSO2 Identity Server token endpoint.

IMPACT

Exploitation of this vulnerability allows a low-privileged user to invoke the System REST APIs of WSO2 API Manager, potentially leading to full administrative account takeover.

SOLUTION

Please follow the steps mentioned below to apply the fix:

1. Ensure that the WSO2 Identity Server is updated to the latest U2 version.
2. Ensure that the WSO2 API Manager is updated to the latest U2 version.
3. Update the WSO2 IS Connector in the WSO2 Identity Server instances
4. Download the latest connector version by referring to the official WSO2 documentation corresponding to the WSO2 API Manager version used in your deployments.
   The relevant documentation links are provided below. Note that the connector is available under Step 4 – Configure WSO2 Identity Server with WSO2 API Manager, specifically in the first item listed in that step.
   • APIM 4.1.0: https://apim.docs.wso2.com/en/4.1.0/install-and-setup/setup/distributed-deployment/configuring-wso2-identity-server-as-a-key-manager/#step-4-configure-wso2-is-with-wso2-api-m
   • APIM 4.2.0: https://apim.docs.wso2.com/en/4.2.0/install-and-setup/setup/distributed-deployment/configuring-wso2-identity-server-as-a-key-manager/#step-4-configure-wso2-is-with-wso2-api-m
   • APIM 4.3.0: https://apim.docs.wso2.com/en/4.3.0/install-and-setup/setup/distributed-deployment/configuring-wso2-identity-server-as-a-key-manager/#step-4-configure-wso2-is-with-wso2-api-m
   • APIM 4.4.0: https://apim.docs.wso2.com/en/4.4.0/install-and-setup/setup/distributed-deployment/configuring-wso2-identity-server-as-a-key-manager/#step-4-configure-wso2-is-with-wso2-api-m
   • APIM 4.5.0: https://apim.docs.wso2.com/en/4.5.0/install-and-setup/setup/distributed-deployment/configuring-wso2-identity-server-as-a-key-manager/#step-4-configure-wso2-is-with-wso2-api-m
   • APIM 4.6.0: https://apim.docs.wso2.com/en/latest/install-and-setup/setup/distributed-deployment/configuring-wso2-identity-server-as-a-key-manager/#step-4-configure-wso2-is-with-wso2-api-m
5. Replace the following jar files available under the /repository/components/dropins directory with the latest updated versions found within the extracted connector's dropins directory
   • wso2is.key.manager.core jar
   • wso2is.notification.event.handlers jar
6. Remove the keymanager-operations.war and the keymanager-operations directory, which is in the /repository/deployment/server/webapps directory.
7. Add the latest keymanager-operations.war from the extracted connector's webapps directory to /repository/deployment/server/webapps.
8. Restart your WSO2 Identity Server deployments once the aforementioned changes are done.