Cross-Tenant Access via Application Consent Mismanagement in Multiple WSO2 Products Allows Unauthorized Data Exposure
Summary
| CVE | CVE-2025-13475 |
|---|---|
| State | PUBLISHED |
| Assigner | WSO2 |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-04 13:16:30 UTC |
| Updated | 2026-07-04 13:16:30 UTC |
| Description | In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing. This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify information without explicit user authorization. This can lead to unauthorized data access and privacy violations. This vulnerability has no impact if the deployment does not support multi-tenancy. |
Risk And Classification
Primary CVSS: v3.1 3.5 LOW from ed10eef1-636d-4fbe-9993-6890dfa878f8
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Problem Types: CWE-288 | CWE-288 CWE-288: Access of Unprotected Resource
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ed10eef1-636d-4fbe-9993-6890dfa878f8 | Secondary | 3.5 | LOW | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
| 3.1 | CNA | CVSS | 3.5 | LOW | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
RequiredScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | WSO2 | WSO2 Identity Server | unknown 5.10.0 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server | affected 5.10.0 5.10.0.382 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | unknown 3.2.0 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 3.2.0 3.2.0.457 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 3.2.1 3.2.1.76 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO... | ed10eef1-636d-4fbe-9993-6890dfa878f8 | security.docs.wso2.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-1613/#solution
There are currently no legacy QID mappings associated with this CVE.