Zero Day MonitorZDM

← Back to list

8.3

CVE-2026-2053EXPLOITEDPATCHED

wso2 · api_manager

Unauthenticated Server-Side Request Forgery via WS-Addressing in WSO2 API Manager

Description

The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests. Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.

Affected Products

Vendor	Product	Versions
wso2	api_manager	3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.2.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	open source wso2 api	cert_advisory	90%

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5072/(vendor-advisory)

Related News (2 articles)

Tier B

BSI Advisories1d ago

[NEU] [hoch] WSO2 API Manager: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB1d ago

CVE-2026-2053 | WSO2 API Manager up to 3.0.x Destination server-side request forgery

→ No new info (linked only)

CVSS 3.18.3 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

3.1.0.3603.2.0.4653.2.1.844.0.0.3854.2.0.189

CWECWE-918

PublishedJun 26, 2026

Last enriched1d agov2

Trending Score55

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2025-10908EXP

Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access

MEDIUMCVE-2024-0391EXP

Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery

MEDIUMCVE-2025-9973

Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Organization Account Takeover

MEDIUMCVE-2025-8325EXP

Improper Access Control via Gateway API in Multiple WSO2 Products Allows Unauthorized Operations

HIGHCVE-2024-2374

XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 26, 2026

Discovered by ZDM

Jun 26, 2026

Updated: affectedVersions, severity, activelyExploited

Jun 26, 2026

Actively Exploited

Jun 26, 2026

Patch Available

Jun 26, 2026

Version History

v2

Last enriched 1d ago

v2Tier C1d ago

Updated severity to CRITICAL, added affected version 3.0.0, and noted that no exploit is available.

affectedVersionsseverityactivelyExploited

via VulDB

v11d ago

Initial creation