

Security Advisory WSO2-2026-5328/CVE-2026-5430¶

Published: 2026-05-03

Version: 1.0.0

Severity: Critical

CVSS Score: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVE IDs: CVE-2026-5430

AFFECTED PRODUCTS¶

WSO2 API Control Plane: 4.6.0, 4.5.0
WSO2 API Manager: 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0
WSO2 Traffic Manager: 4.6.0, 4.5.0
WSO2 Universal Gateway: 4.6.0, 4.5.0

OVERVIEW¶

Account takeover via authentication bypass vulnerability.

DESCRIPTION¶

JWT authentication can be bypassed when a token is signed using an unsupported algorithm, allowing unauthorized access.

IMPACT¶

Successful exploitation of the vulnerability may lead to unauthorized access, including potential compromise of administrative accounts and full account takeover.

The CVSS score is adjusted to 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in single-tenant deployments. This adjustment reflects that the impact is contained within a single security authority boundary.

SOLUTION¶

Community Users (Open Source)¶

Apply the relevant fixes to your product using the public fix(es) provided below.

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders¶

Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product Name	Product Version	Update Level
WSO2 API Control Plane	4.6.0	22
WSO2 API Control Plane	4.5.0	58
WSO2 API Manager	4.6.0	21
WSO2 API Manager	4.5.0	57
WSO2 API Manager	4.4.0	72
WSO2 API Manager	4.3.0	108
WSO2 API Manager	4.2.0	197
WSO2 API Manager	4.1.0	257
WSO2 Traffic Manager	4.6.0	21
WSO2 Traffic Manager	4.5.0	56
WSO2 Universal Gateway	4.6.0	21
WSO2 Universal Gateway	4.5.0	57

CREDITS¶

WSO2 thanks, Hacktron Team for responsibly reporting the identified issue and working with us as we addressed it.