CVE-2025-9152 CRITICAL

CVE-2025-9152: Improper Privilege Management in Multiple WSO2 API Manager via keymanager-operations DCR Endpoint

Vendor Wso2
Product WSO2 API Manager
Published October 16, 2025
Last update October 17, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations.

Key dates

02Disclosure timeline

October 16, 2025 CVE published
October 17, 2025 Record updated