Role Overwriting via Silent JIT Provisioning in Multiple WSO2 Products Enables Privilege Escalation
Summary
| CVE | CVE-2024-1248 |
|---|---|
| State | PUBLISHED |
| Assigner | WSO2 |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-04 21:17:13 UTC |
| Updated | 2026-07-09 18:47:41 UTC |
| Description | The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user. Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS: 0.002050000 probability, percentile 0.106110000 (date 2026-07-08)
Problem Types: CWE-298 | CWE-298 CWE-298: Improper Handling of Identity During Provisioning
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | ed10eef1-636d-4fbe-9993-6890dfa878f8 | Secondary | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L |
| 3.1 | CNA | CVSS | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Wso2 | Api Manager | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | WSO2 | WSO2 API Manager | unknown 3.0.0 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 3.0.0 3.0.0.153 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 3.1.0 3.1.0.267 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 3.2.0 3.2.0.351 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.0.0 4.0.0.269 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.1.0 4.1.0.169 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server | unknown 5.8.0 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server | affected 5.8.0 5.8.0.101 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server | affected 5.9.0 5.9.0.138 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server | affected 5.10.0 5.10.0.284 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server | affected 5.11.0 5.11.0.321 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server As Key Manager | unknown 5.9.0 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server As Key Manager | affected 5.9.0 5.9.0.148 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server As Key Manager | affected 5.10.0 5.10.0.280 custom | Not specified |
| CNA | WSO2 | WSO2 Open Banking AM | unknown 2.0.0 custom | Not specified |
| CNA | WSO2 | WSO2 Open Banking AM | affected 2.0.0 2.0.0.313 custom | Not specified |
| CNA | WSO2 | WSO2 Open Banking IAM | unknown 2.0.0 custom | Not specified |
| CNA | WSO2 | WSO2 Open Banking IAM | affected 2.0.0 2.0.0.333 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO... | ed10eef1-636d-4fbe-9993-6890dfa878f8 | security.docs.wso2.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3179/#solution
There are currently no legacy QID mappings associated with this CVE.