CVE-2024-7096 MEDIUM

CVE-2024-7096: Privilege Escalation in Multiple WSO2 Products via SOAP Admin Service Due to Business Logic Flaw

Vendor Wso2
Product WSO2 Open Banking IAM
Weakness CWE-863 · Incorrect authorization
Published May 30, 2025
Last update December 3, 2025
View on NVD All CVEs

CVSS base score

4.2/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that is not part of the default WSO2 product configuration. * At least one custom role exists with non-default permissions. * The attacker has knowledge of the custom role and the internal attribute used in the deployment. Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms.

Key dates

02Disclosure timeline

May 30, 2025 CVE published
December 3, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-28635 Defining resource name as integer in vantage6 may give unintended access CVE-2024-5705 Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization CVE-2025-12756 Insecure Direct Object Reference in Mattermost Boards Plugin Enables Unauthorised Comment Deletion CVE-2025-13432 Terraform Enterprise state versions can be created by users with specific permissions without sufficient write access CVE-2023-49783 No permission checks for editing/deleting records with CSV import form