QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-10611

Back to search

CVE-2025-10611

Published: Oct 16, 2025

Modified: Oct 16, 2025

PUBLISHED

CVSS v3.1

9.8

CRITICAL

Description

Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations.

VendorProductVersions

WSO2

WSO2 API Manager

unknown
0 - < 2.1.0
affected
2.1.0 - < 2.1.0.42
affected
2.2.0 - < 2.2.0.61
affected
2.5.0 - < 2.5.0.87
affected
2.6.0 - < 2.6.0.148

+10 more versions

WSO2

WSO2 API Control Plane

affected
4.5.0 - < 4.5.0.29

WSO2

WSO2 Open Banking AM

unknown
0 - < 1.4.0
affected
1.4.0 - < 1.4.0.141
affected
1.5.0 - < 1.5.0.142
affected
2.0.0 - < 2.0.0.394

WSO2

WSO2 Open Banking IAM

unknown
0 - < 2.0.0
affected
2.0.0 - < 2.0.0.414

WSO2

WSO2 Identity Server

unknown
0 - < 5.3.0
affected
5.3.0 - < 5.3.0.39
affected
5.5.0 - < 5.5.0.54
affected
5.6.0 - < 5.6.0.62
affected
5.7.0 - < 5.7.0.128

+8 more versions

WSO2

WSO2 Identity Server as Key Manager

unknown
0 - < 5.3.0
affected
5.3.0 - < 5.3.0.44
affected
5.5.0 - < 5.5.0.55
affected
5.6.0 - < 5.6.0.77
affected
5.7.0 - < 5.7.0.127

+2 more versions

WSO2

WSO2 Open Banking KM

unknown
0 - < 1.4.0
affected
1.4.0 - < 1.4.0.135
affected
1.5.0 - < 1.5.0.125

WSO2

WSO2 Universal Gateway

affected
4.5.0 - < 4.5.0.27

WSO2

WSO2 Traffic Manager

affected
4.5.0 - < 4.5.0.27

WSO2

org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service

affected
1.1.1 - < 1.1.1.7
affected
1.1.16 - < 1.1.16.6
affected
1.1.18 - < 1.1.18.7
affected
1.1.20 - < 1.1.20.9
affected
1.1.26 - < 1.1.26.11

+12 more versions

WSO2

org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.valve

affected
1.1.1 - < 1.1.1.7
affected
1.1.16 - < 1.1.16.6
affected
1.1.18 - < 1.1.18.7
affected
1.1.20 - < 1.1.20.9
affected
1.1.26 - < 1.1.26.11

+12 more versions

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now
CVE-2025-10611 | CRITICAL (9.8) - Security Vulnerability | QwikSec