CVE-2025-8325

high

Published 2026-05-11 · Modified 2026-05-27

CVSS v3

8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

8.8

Description

The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could lead to unintended behavior or misuse, particularly in production environments.

Predictions

Exploit likelihood

92%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: ed10eef1-636d-4fbe-9993-6890dfa878f8 — https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4401/

Application impact

Vendor	Product	Versions	Fixed
wso2	api_control_plane	`{"startIncluding":"4.5.0","endExcluding":"4.5.0.18"}`	`4.5.0.18`
wso2	api_manager	`{"startIncluding":"3.2.0","endExcluding":"3.2.0.435"}`	`3.2.0.435`
wso2	traffic_manager	`{"startIncluding":"4.5.0","endExcluding":"4.5.0.17"}`	`4.5.0.17`
wso2	universal_gateway	`{"startIncluding":"4.5.0","endExcluding":"4.5.0.17"}`	`4.5.0.17`

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4401/

CWEs

CWE-281

Verify integrity in audit chain (admin only). AS-IS.