Denial of Service via Malicious JSON Payloads in Throttling Events in Multiple WSO2 Products Causing Persistent Service Disruption
Summary
| CVE | CVE-2026-4249 |
|---|---|
| State | PUBLISHED |
| Assigner | WSO2 |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-06 11:16:30 UTC |
| Updated | 2026-07-09 13:04:57 UTC |
| Description | The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service condition. Successful exploitation of this vulnerability can disrupt the API Gateway, preventing legitimate API traffic from being processed and impacting complete service availability. The denial of service is persistent, requiring manual intervention to restore normal operations. |
Risk And Classification
Primary CVSS: v3.1 8.6 HIGH from ed10eef1-636d-4fbe-9993-6890dfa878f8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS: 0.003390000 probability, percentile 0.258740000 (date 2026-07-08)
Problem Types: CWE-707 | CWE-707 CWE-707: Use of Out-of-Scope Validation
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ed10eef1-636d-4fbe-9993-6890dfa878f8 | Secondary | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
ChangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Wso2 | Api Control Plane | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | WSO2 | WSO2 Universal Gateway | affected 4.5.0 4.5.0.54 custom | Not specified |
| CNA | WSO2 | WSO2 Universal Gateway | affected 4.6.0 4.6.0.18 custom | Not specified |
| CNA | WSO2 | WSO2 Universal Gateway | affected 4.7.0 4.7.0.2 custom | Not specified |
| CNA | WSO2 | WSO2 Traffic Manager | affected 4.5.0 4.5.0.53 custom | Not specified |
| CNA | WSO2 | WSO2 Traffic Manager | affected 4.6.0 4.6.0.18 custom | Not specified |
| CNA | WSO2 | WSO2 Traffic Manager | affected 4.7.0 4.7.0.2 custom | Not specified |
| CNA | WSO2 | WSO2 API Control Plane | affected 4.5.0 4.5.0.55 custom | Not specified |
| CNA | WSO2 | WSO2 API Control Plane | affected 4.6.0 4.6.0.19 custom | Not specified |
| CNA | WSO2 | WSO2 API Control Plane | affected 4.7.0 4.7.0.2 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | unknown 3.2.0 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 3.2.0 3.2.0.470 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 3.2.1 3.2.1.89 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.0.0 4.0.0.390 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.1.0 4.1.0.254 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.2.0 4.2.0.194 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.3.0 4.3.0.105 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.4.0 4.4.0.69 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.5.0 4.5.0.54 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.6.0 4.6.0.18 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.7.0 4.7.0.2 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO... | ed10eef1-636d-4fbe-9993-6890dfa878f8 | security.docs.wso2.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5236/#solution
There are currently no legacy QID mappings associated with this CVE.