The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.
| Vendor | Product | Versions |
|---|---|---|
| wso2 | wso2 api control plane | 4.5.0, 4.5.0, 4.5.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 6.7.206, 6.7.210, 9.0.174, 9.20.74, 9.28.116, 9.29.120, 9.30.67, 9.31.86, 6.7.206, 6.7.210, 9.0.174, 9.20.74, 9.28.116, 9.29.120, 9.30.67, 9.31.86 |
Updated severity to CRITICAL, marked as actively exploited, and noted that no exploit currently exists.
Initial creation
