CVE-2025-8325

Published: Mag 11, 2026 Last Modified: Mag 11, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,3

Source: ed10eef1-636d-4fbe-9993-6890dfa878f8

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: low

Availability: low

Description

AI Translation Available

The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions.

A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.

281

Improper Preservation of Permissions

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity

Potential Impacts:

Read Application Data Modify Application Data

Applicable Platforms

All platforms may be affected

View CWE Details

https://security.docs.wso2.com/en/latest/security-announcem…

https://security.docs.wso2.com/en/latest/security-announcements/security-adviso…

CVE-2025-8325

Description

Improper Preservation of Permissions

Common Consequences

Applicable Platforms

Iscriviti alla newsletter