diff --git a/en/docs/security-announcements/security-advisories/2026/2026-advisories.md b/en/docs/security-announcements/security-advisories/2026/2026-advisories.md index c8021ef1..0662ad59 100644 --- a/en/docs/security-announcements/security-advisories/2026/2026-advisories.md +++ b/en/docs/security-announcements/security-advisories/2026/2026-advisories.md @@ -9,6 +9,8 @@ category: security-announcements * [WSO2-2026-5328]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5328) * [WSO2-2026-5236]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5236) * [WSO2-2026-5212]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5212) +* [WSO2-2026-5174]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5174) +* [WSO2-2026-5164]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5164) * [WSO2-2026-5146]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5146) * [WSO2-2026-5100]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5100) * [WSO2-2026-5077]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5077) @@ -23,6 +25,7 @@ category: security-announcements * [WSO2-2025-4897]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4897) * [WSO2-2025-4891]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4891) * [WSO2-2025-4849]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4849) +* [WSO2-2026-4844]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-4844) * [WSO2-2025-4829]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4829) * [WSO2-2025-4800]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4800) * [WSO2-2025-4771]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4771) @@ -33,6 +36,7 @@ category: security-announcements * [WSO2-2025-4684]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4684) * [WSO2-2025-4672]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4672) * [WSO2-2025-4619]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4619) +* [WSO2-2026-4608]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-4608) * [WSO2-2025-4597]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4597) * [WSO2-2025-4583]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4583) * [WSO2-2025-4577]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4577) @@ -56,6 +60,7 @@ category: security-announcements * [WSO2-2025-4316]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4316) * [WSO2-2025-4306]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4306) * [WSO2-2025-4251]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4251) +* [WSO2-2025-4227]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4227) * [WSO2-2025-4195]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4195) * [WSO2-2025-4193]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4193) * [WSO2-2025-4177]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4177) diff --git a/en/docs/security-announcements/security-advisories/2026/WSO2-2025-4227.md b/en/docs/security-announcements/security-advisories/2026/WSO2-2025-4227.md new file mode 100644 index 00000000..e95b14fa --- /dev/null +++ b/en/docs/security-announcements/security-advisories/2026/WSO2-2025-4227.md @@ -0,0 +1,117 @@ +--- +title: Security Advisory WSO2-2025-4227/CVE-2025-5802 +category: security-announcements +published: "July 04, 2026" +version: "1.0" +severity: "Medium" +cvss: "5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)" +--- + +# Security Advisory WSO2-2025-4227/CVE-2025-5802 + +

Published: July 04, 2026

+

Updated: July 04, 2026

+

Version: 1.0

+

Severity: Medium

+

CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

+

CVE IDs: CVE-2025-5802

+--- + +### AFFECTED PRODUCTS +* WSO2 API Control Plane: 4.6.0, 4.5.0 +* WSO2 API Manager: 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0 +* WSO2 Identity Server: 7.2.0, 7.1.0, 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0 +* WSO2 Identity Server as Key Manager: 5.10.0 +* WSO2 Open Banking AM: 2.0.0 +* WSO2 Open Banking IAM: 2.0.0 +* WSO2 Traffic Manager: 4.6.0, 4.5.0 +* WSO2 Universal Gateway: 4.6.0, 4.5.0 + + +### OVERVIEW +Potential username enumeration in self registration flow. + + +### DESCRIPTION +In the self-registration flow, attempting to sign up with a username that already exists triggers an error message indicating that the username is in use. This behavior can inadvertently reveal whether a username is registered, leading to username enumeration. + + +### IMPACT +The discovery of valid usernames can increase the risk of brute force attacks, social engineering attacks, and information leakage. As an example, attackers can use the list of usernames to craft targeted phishing emails or other social engineering attacks to trick users into divulging sensitive information. + + +### SOLUTION + + + +#### Community Users (Open Source) +Apply the relevant fixes to your product using the public fix(es) provided below. + +* [https://github.com/wso2-extensions/identity-governance/pull/1097](https://github.com/wso2-extensions/identity-governance/pull/1097) +* [https://github.com/wso2/product-apim/pull/14023](https://github.com/wso2/product-apim/pull/14023) +* [https://github.com/wso2/carbon-apimgt/pull/13650](https://github.com/wso2/carbon-apimgt/pull/13650) + +If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s). + + +#### Support Subscription Holders + +Update your product to the specified update level or a higher update level to apply the fix. + +!!! info todo + **WSO2 Support Subscription Holders may use [WSO2 Updates](https://wso2.com/updates/) in order to apply the fix.** + +| Product Name | Product Version | Update Level | +| ----------------------------------- | --------------- | ------------ | +| WSO2 API Control Plane | 4.6.0 | 18 | +| WSO2 API Control Plane | 4.5.0 | 56 | +| WSO2 API Manager | 4.6.0 | 17 | +| WSO2 API Manager | 4.5.0 | 55 | +| WSO2 API Manager | 4.4.0 | 72 | +| WSO2 API Manager | 4.3.0 | 112 | +| WSO2 API Manager | 4.2.0 | 200 | +| WSO2 API Manager | 4.1.0 | 262 | +| WSO2 API Manager | 4.0.0 | 379 | +| WSO2 API Manager | 3.2.1 | 96 | +| WSO2 API Manager | 3.2.0 | 458 | +| WSO2 API Manager | 3.2.0 | 478 | +| WSO2 API Manager | 3.1.0 | 354 | +| WSO2 Identity Server | 7.2.0 | 3 | +| WSO2 Identity Server | 7.1.0 | 41 | +| WSO2 Identity Server | 7.0.0 | 133 | +| WSO2 Identity Server | 6.1.0 | 234 | +| WSO2 Identity Server | 6.1.0 | 257 | +| WSO2 Identity Server | 6.0.0 | 257 | +| WSO2 Identity Server | 5.11.0 | 430 | +| WSO2 Identity Server | 5.10.0 | 383 | +| WSO2 Identity Server as Key Manager | 5.10.0 | 374 | +| WSO2 Open Banking AM | 2.0.0 | 403 | +| WSO2 Open Banking IAM | 2.0.0 | 423 | +| WSO2 Traffic Manager | 4.6.0 | 17 | +| WSO2 Traffic Manager | 4.5.0 | 54 | +| WSO2 Universal Gateway | 4.6.0 | 17 | +| WSO2 Universal Gateway | 4.5.0 | 55 | + +After applying the provided update or public PR to the affected product versions, follow the instructions below to apply the required configurations for the respective product to fully mitigate the identified vulnerability. + +**WSO2 Identity Server 7.2.0, 7.1.0 and 7.0.0** + +In the Console, navigate to Login & Registration and uncheck "Display message if username unavailable" with account verification enabled. (This configuration was already available in 7.1.0 upwards and is now extended to cover additional flows.) + +**WSO2 Identity Server 6.1.0 and 6.0.0** + +In the Carbon Management Console, navigate to `Home > Identity > Identity Providers > Resident > User Onboarding > Self Registration`. Uncheck the newly introduced configuration "Display message if username unavailable" with account confirmation enabled. + +**WSO2 Identity Server 5.11.0** + +In the Carbon Management Console, navigate to `Home > Identity > Identity Providers > Resident > User Onboarding > Self Registration`. Uncheck the newly introduced configuration "Display message if username unavailable". + +**WSO2 Identity Server 5.10.0** + +In the `Carbon Management Console, navigate to Home > Identity > Identity Providers > Resident > Account Management Policies > User Self Registration`. Uncheck the newly introduced configuration "Display message if username unavailable" with account confirmation enabled. + +**WSO2 API Manager 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0 and 4.6.0** + +In the `Carbon Management Console, navigate to Main > Home > Identity > Identity Providers > Resident > User Onboarding > Self Registration`. Uncheck the newly introduced configuration "Display message if username unavailable" and check “Send sign up confirmation email” and “Lock user account on creation” configurations with account verification via email enabled. + + diff --git a/en/docs/security-announcements/security-advisories/2026/WSO2-2026-4608.md b/en/docs/security-announcements/security-advisories/2026/WSO2-2026-4608.md new file mode 100644 index 00000000..27dedd9c --- /dev/null +++ b/en/docs/security-announcements/security-advisories/2026/WSO2-2026-4608.md @@ -0,0 +1,126 @@ +--- +title: WSO2-2026-4608 +--- + +# WSO2-2026-4608 + +Content to be added. +--- +title: Security Advisory WSO2-2026-4608/CVE-2026-3863 +category: security-announcements +published: "July 04, 2026" +version: "1.0" +severity: "Medium" +cvss: "4.9" +--- + +# Security Advisory WSO2-2026-4608/CVE-2026-3863 + +

Published: July 04, 2026

+

Updated: July 04, 2026

+

Version: 1.0

+

Severity: Medium

+

CVSS Score: 4.9

+

CVE IDs: CVE-2026-3863

+--- + +### AFFECTED PRODUCTS +* WSO2 API Control Plane: 4.6.0, 4.5.0 +* WSO2 API Manager: 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 3.2.1, 3.2.0 +* WSO2 Traffic Manager: 4.6.0, 4.5.0 +* WSO2 Universal Gateway: 4.6.0, 4.5.0 + + +### OVERVIEW +Authenticated Denial-of-Service (DoS) vulnerability. + + +### DESCRIPTION +An authenticated user with publisher privileges can submit a URL referencing a large file. Processing this file can lead to uncontrolled memory consumption, potentially resulting in an out-of-memory condition. + + +### IMPACT +A user with publisher privileges can exploit this vulnerability. A successful exploitation could result in the complete unavailability of the service. + + +### SOLUTION + + + +#### Community Users (Open Source) +Apply the relevant fixes to your product using the public fix(es) provided below. + +* [https://github.com/wso2/product-apim/pull/14151](https://github.com/wso2/product-apim/pull/14151) +* [https://github.com/wso2/carbon-apimgt/pull/13784](https://github.com/wso2/carbon-apimgt/pull/13784) + +If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s). + + +#### Support Subscription Holders + +Update your product to the specified update level or a higher update level to apply the fix. + +!!! info todo + **WSO2 Support Subscription Holders may use [WSO2 Updates](https://wso2.com/updates/) in order to apply the fix.** + +| Product Name | Product Version | Update Level | +| ---------------------- | --------------- | ------------ | +| WSO2 API Control Plane | 4.6.0 | 25 | +| WSO2 API Control Plane | 4.5.0 | 61 | +| WSO2 API Manager | 4.6.0 | 24 | +| WSO2 API Manager | 4.5.0 | 60 | +| WSO2 API Manager | 4.4.0 | 71 | +| WSO2 API Manager | 4.4.0 | 75 | +| WSO2 API Manager | 4.3.0 | 110 | +| WSO2 API Manager | 4.2.0 | 199 | +| WSO2 API Manager | 4.1.0 | 259 | +| WSO2 API Manager | 3.2.1 | 93 | +| WSO2 API Manager | 3.2.0 | 474 | +| WSO2 Traffic Manager | 4.6.0 | 24 | +| WSO2 Traffic Manager | 4.5.0 | 58 | +| WSO2 Universal Gateway | 4.6.0 | 24 | +| WSO2 Universal Gateway | 4.5.0 | 60 | + +After applying the provided update or public PR to the affected product versions, it is necessary to follow the below given instruction. + +This update resolves the issue by enforcing a default file upload limit of 10 MB. To adjust this limit, you can modify the `/repository/conf/deployment.toml` file. Apply the following configurations to increase or decrease the default file size limit as part of the security update: + +* For WSO2 APIM 3.2.0, 3.2.1: + +```toml +[apim.publisher.import_definition_file_size_limit] +oas=20 +wsdl=20 +``` + +For WSO2 APIM 4.1.0, 4.2.0, 4.3.0, 4.4.0: + +```toml +[apim.publisher.import_definition_file_size_limit] +oas=20 +wsdl=20 +async=20 +``` + +* For WSO2 APIM 4.5.0: + +```toml +[apim.publisher.import_definition_file_size_limit] +oas=20 +wsdl=20 +async=20 +graphql=20 +``` + +* For WSO2 APIM 4.6.0: + +```toml +[apim.publisher.import_definition_file_size_limit] +oas=20 +wsdl=20 +async=20 +graphql=20 +mcp=20 +``` + +The aforementioned values represent the maximum file size limit in megabytes (MB) for importing API definitions through a URL across OAS, Async, WSDL, GraphQL, and MCP formats. diff --git a/en/docs/security-announcements/security-advisories/2026/WSO2-2026-4844.md b/en/docs/security-announcements/security-advisories/2026/WSO2-2026-4844.md new file mode 100644 index 00000000..d2d3e268 --- /dev/null +++ b/en/docs/security-announcements/security-advisories/2026/WSO2-2026-4844.md @@ -0,0 +1,165 @@ +--- +title: Security Advisory WSO2-2026-4844/CVE-2026-4103 +category: security-announcements +published: "July 04, 2026" +version: "1.0" +severity: "Medium" +cvss: "6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)" +--- + +# Security Advisory WSO2-2026-4844/CVE-2026-4103 + +

Published: July 04, 2026

+

Updated: July 04, 2026

+

Version: 1.0

+

Severity: Medium

+

CVSS Score: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

+

CVE IDs: CVE-2026-4103

+--- + +### AFFECTED PRODUCTS +* WSO2 API Control Plane: 4.6.0, 4.5.0 +* WSO2 API Manager: 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 3.2.1, 3.2.0 + + +### OVERVIEW +Stored XSS Vulnerability in WSO2 Publisher Portal and Developer Portal. + + +### DESCRIPTION +Insufficient HTML sanitization allows untrusted user input to trigger malicious JavaScript execution in the Publisher Portal and Developer Portal. + + +### IMPACT +Successful exploitation may result in the execution of malicious scripts when affected API documents are viewed. Users with permission to access the API documentation through the Publisher Portal or Developer Portal may be impacted, potentially allowing attackers to perform actions within the context of the user’s session depending on the user’s privileges. + + +### SOLUTION + + + +#### Community Users (Open Source) +Apply the relevant fixes to your product using the public fix(es) provided below. + +* [https://github.com/wso2/apim-apps/pull/1287](https://github.com/wso2/apim-apps/pull/1287) + +If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s). + + +#### Support Subscription Holders + +Update your product to the specified update level or a higher update level to apply the fix. + +!!! info todo + **WSO2 Support Subscription Holders may use [WSO2 Updates](https://wso2.com/updates/) in order to apply the fix.** + +| Product Name | Product Version | Update Level | +| ---------------------- | --------------- | ------------ | +| WSO2 API Control Plane | 4.6.0 | 19 | +| WSO2 API Control Plane | 4.5.0 | 55 | +| WSO2 API Manager | 4.6.0 | 18 | +| WSO2 API Manager | 4.5.0 | 54 | +| WSO2 API Manager | 4.4.0 | 69 | +| WSO2 API Manager | 4.3.0 | 105 | +| WSO2 API Manager | 4.2.0 | 194 | +| WSO2 API Manager | 4.1.0 | 254 | +| WSO2 API Manager | 3.2.1 | 89 | +| WSO2 API Manager | 3.2.0 | 470 | + +After applying the provided update or public PR to the affected product versions, it is necessary to follow the below given instruction. + +This update introduces a new configuration option called sanitizeHtmlDocs. This option is now available in the settings for both the Publisher Portal and the Developer Portal, allowing users to enable HTML sanitization for API documentation content displayed within these portals. + +**WSO2 API Manager 4.2.0, 4.3.0, 4.4.0, 4.5.0 and 4.6.0:** + +Add the 'sanitizeHtmlDocs' configuration to the 'settings.json' files found in the following locations. + +* `/repository/deployment/server/webapps/publisher/site/public/conf/settings.json` +* `/repository/deployment/server/webapps/devportal/site/public/theme/settings.json` + +```json +{ + "app": { + // Other configurations... + "sanitizeHtmlDocs": { + "enabled": true, + "additionalAllowedTags": [], // e.g., ["iframe", "svg"] + "additionalAllowedAttributes": [] // e.g., ["onclick"] + } + } +} +``` + +**WSO2 API Manager 3.2.0, 3.2.1 and 4.1.0:** + +Add the 'sanitizeHtmlDocs' configuration to the 'settings.js' files located in `/repository/deployment/server/jaggeryapps/publisher/site/public/conf` + +```Javascript +const AppConfig = { + // ... Existing configurations + + app: { + // ... Existing configurations + + /** + * Configuration for HTML sanitization of documents. + */ + sanitizeHtmlDocs: { + /** + * Flag to enable or disable HTML sanitization. + */ + enabled: true, + + /** + * A list of additional HTML tags allowed by the sanitizer. + * Example: ["iframe", "svg"] + */ + additionalAllowedTags: [], + + /** + * A list of additional HTML attributes allowed by the sanitizer + * Example: ["onclick"] + */ + additionalAllowedAttributes: [], + }, + }, +}; +``` + +Add the 'sanitizeHtmlDocs' configuration to the 'settings.js' files located in `/repository/deployment/server/jaggeryapps/devportal/site/public/theme` + +```Javascript +const Settings = { + // ... Existing configurations ... + + app: { + // ... Existing configurations ... + + /** + * Configuration for HTML sanitization of documents. + */ + sanitizeHtmlDocs: { + /** + * Flag to enable or disable HTML sanitization. + */ + enabled: true, + + /** + * A list of additional HTML tags allowed by the sanitizer. + * Example: ["iframe", "svg"] + */ + additionalAllowedTags: [], + + /** + * A list of additional HTML attributes allowed by the sanitizer. + * Example: ["onclick"] + */ + additionalAllowedAttributes: [], + }, + }, +}; +``` + +### CREDITS +WSO2 thanks, **San Gil from Security Office** for responsibly reporting the identified issue and working with us as we addressed it. + diff --git a/en/docs/security-announcements/security-advisories/2026/WSO2-2026-5164.md b/en/docs/security-announcements/security-advisories/2026/WSO2-2026-5164.md new file mode 100644 index 00000000..25c90ef7 --- /dev/null +++ b/en/docs/security-announcements/security-advisories/2026/WSO2-2026-5164.md @@ -0,0 +1,67 @@ +--- +title: Security Advisory WSO2-2026-5164/CVE-2026-3096 +category: security-announcements +published: "July 04, 2026" +version: "1.0" +severity: "Medium" +cvss: "4.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)" +--- + +# Security Advisory WSO2-2026-5164/CVE-2026-3096 + +

Published: July 04, 2026

+

Updated: July 04, 2026

+

Version: 1.0

+

Severity: Medium

+

CVSS Score: 4.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)

+

CVE IDs: CVE-2026-3096

+--- + +### AFFECTED PRODUCTS +* WSO2 API Control Plane: 4.6.0 +* WSO2 API Manager: 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 3.2.1, 3.2.0 + + +### OVERVIEW +Potential Reverse Tabnabbing. + + +### DESCRIPTION +The product's web portals include functionality to open external links in a new browser tab. In certain instances, the originating window remains accessible to the newly opened page, allowing for potential interaction between the two browser contexts when navigating to external destinations. + + +### IMPACT +This vulnerability could allow an attacker to manipulate the original application window after a user clicks a malicious external link, potentially redirecting users to phishing pages, stealing credentials, or performing other unauthorized actions in the context of the trusted site. + + +### SOLUTION + + + +#### Community Users (Open Source) +Apply the relevant fixes to your product using the public fix(es) provided below. + +* [https://github.com/wso2/apim-apps/pull/1262](https://github.com/wso2/apim-apps/pull/1262) + +If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s). + + +#### Support Subscription Holders + +Update your product to the specified update level or a higher update level to apply the fix. + +!!! info todo + **WSO2 Support Subscription Holders may use [WSO2 Updates](https://wso2.com/updates/) in order to apply the fix.** + +| Product Name | Product Version | Update Level | +| ---------------------- | --------------- | ------------ | +| WSO2 API Control Plane | 4.6.0 | 18 | +| WSO2 API Manager | 4.6.0 | 16 | +| WSO2 API Manager | 4.5.0 | 52 | +| WSO2 API Manager | 4.4.0 | 67 | +| WSO2 API Manager | 4.3.0 | 103 | +| WSO2 API Manager | 4.2.0 | 192 | +| WSO2 API Manager | 4.1.0 | 252 | +| WSO2 API Manager | 3.2.1 | 87 | +| WSO2 API Manager | 3.2.0 | 468 | + diff --git a/en/docs/security-announcements/security-advisories/2026/WSO2-2026-5174.md b/en/docs/security-announcements/security-advisories/2026/WSO2-2026-5174.md new file mode 100644 index 00000000..1f2444d6 --- /dev/null +++ b/en/docs/security-announcements/security-advisories/2026/WSO2-2026-5174.md @@ -0,0 +1,65 @@ +--- +title: Security Advisory WSO2-2026-5174/CVE-2026-3416 +category: security-announcements +published: "July 04, 2026" +version: "1.0" +severity: "Medium" +cvss: "5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)" +--- + +# Security Advisory WSO2-2026-5174/CVE-2026-3416 + +

Published: July 04, 2026

+

Updated: July 04, 2026

+

Version: 1.0

+

Severity: Medium

+

CVSS Score: 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

+

CVE IDs: CVE-2026-3416

+--- + +### AFFECTED PRODUCTS +* WSO2 API Control Plane: 4.5.0 +* WSO2 API Manager: 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0 + + +### OVERVIEW +Predictable webhook HMAC secrets due to the use of non-cryptographic pseudorandom number generation. + + +### DESCRIPTION +The API Publisher previously used a non-cryptographic pseudorandom number generator to generate shared secrets for Webhook HMAC validation. As this method does not provide sufficient entropy for security-sensitive operations, a sophisticated attacker may be able to predict future secrets. This could allow malicious actors to forge event payloads with valid HMAC signatures, thereby bypassing the API Gateway’s authenticity verification mechanisms. + + +### IMPACT +Successful exploitation of this vulnerability could allow an attacker to predict shared secrets used for Webhook HMAC validation and forge event payloads with valid signatures. This may enable bypassing API Gateway authenticity checks, leading to unauthorized event injection, data manipulation, or downstream system compromise. + + +### SOLUTION + + + +#### Community Users (Open Source) +Apply the relevant fixes to your product using the public fix(es) provided below. + +* [https://github.com/wso2/apim-apps/pull/1279](https://github.com/wso2/apim-apps/pull/1279) + +If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s). + + +#### Support Subscription Holders + +Update your product to the specified update level or a higher update level to apply the fix. + +!!! info todo + **WSO2 Support Subscription Holders may use [WSO2 Updates](https://wso2.com/updates/) in order to apply the fix.** + +| Product Name | Product Version | Update Level | +| ---------------------- | --------------- | ------------ | +| WSO2 API Control Plane | 4.5.0 | 53 | +| WSO2 API Manager | 4.5.0 | 52 | +| WSO2 API Manager | 4.4.0 | 68 | +| WSO2 API Manager | 4.3.0 | 104 | +| WSO2 API Manager | 4.2.0 | 193 | +| WSO2 API Manager | 4.1.0 | 253 | + + diff --git a/en/docs/security-reporting/reward-and-acknowledgement-program/hall-of-fame.md b/en/docs/security-reporting/reward-and-acknowledgement-program/hall-of-fame.md index 9b7fb41c..66408cfc 100644 --- a/en/docs/security-reporting/reward-and-acknowledgement-program/hall-of-fame.md +++ b/en/docs/security-reporting/reward-and-acknowledgement-program/hall-of-fame.md @@ -17,20 +17,21 @@ security researcher community relationship. ### WSO2 Products and Infrastructure -| | -| :------------------------------------------------------------------------------------------------------------------- | -| [Abhishek Karle](https://linktr.ee/abhishekkarle) | -| [Alex Williams from Pellera Technologies](https://www.linkedin.com/in/alexanderwilliamscyber) | -| [Claire Wang](https://clairewang.net/) | -| [Hacktron Team](https://www.hacktron.ai/) | -| [Lasantha Karunarathne](https://www.linkedin.com/in/lasakaru/) | -| [Maneesha Dewmina](https://www.linkedin.com/in/maneesha-dewmina/) | -| [Manisha Dilshan](https://www.linkedin.com/in/manisha-dilshan-b08ba3215) | -| [Michał Majchrowicz, Marcin Wyczechowski, and Paweł Zdunek — members of the AFINE Team](https://afine.com/) | -| **Omri Inbar** | -| [Robert C. Raducioiu](https://it.linkedin.com/in/rbct) | -| [Suraj Theekshana and Ishan Nim (株式会社CyberCrew)](https://cyber.spool.co.jp/) | -| [Thinh Dang](https://www.linkedin.com/in/thinh-dang-bb4b72170/) | +| | +| :---------------------------------------------------------------------------------------------------------- | +| [Abhishek Karle](https://linktr.ee/abhishekkarle) | +| [Alex Williams from Pellera Technologies](https://www.linkedin.com/in/alexanderwilliamscyber) | +| [Claire Wang](https://clairewang.net/) | +| [Hacktron Team](https://www.hacktron.ai/) | +| [Lasantha Karunarathne](https://www.linkedin.com/in/lasakaru/) | +| [Maneesha Dewmina](https://www.linkedin.com/in/maneesha-dewmina/) | +| [Manisha Dilshan](https://www.linkedin.com/in/manisha-dilshan-b08ba3215) | +| [Michał Majchrowicz, Marcin Wyczechowski, and Paweł Zdunek — members of the AFINE Team](https://afine.com/) | +| **Omri Inbar** | +| [Robert C. Raducioiu](https://it.linkedin.com/in/rbct) | +| San Gil from Security Office | +| [Suraj Theekshana and Ishan Nim (株式会社CyberCrew)](https://cyber.spool.co.jp/) | +| [Thinh Dang](https://www.linkedin.com/in/thinh-dang-bb4b72170/) | diff --git a/en/mkdocs.yml b/en/mkdocs.yml index c61f84b9..a7f09bc7 100644 --- a/en/mkdocs.yml +++ b/en/mkdocs.yml @@ -78,6 +78,8 @@ nav: - 'WSO2-2026-5328': 'security-announcements/security-advisories/2026/WSO2-2026-5328.md' - 'WSO2-2026-5236': 'security-announcements/security-advisories/2026/WSO2-2026-5236.md' - 'WSO2-2026-5212': 'security-announcements/security-advisories/2026/WSO2-2026-5212.md' + - 'WSO2-2026-5174': 'security-announcements/security-advisories/2026/WSO2-2026-5174.md' + - 'WSO2-2026-5164': 'security-announcements/security-advisories/2026/WSO2-2026-5164.md' - 'WSO2-2026-5146': 'security-announcements/security-advisories/2026/WSO2-2026-5146.md' - 'WSO2-2026-5100': 'security-announcements/security-advisories/2026/WSO2-2026-5100.md' - 'WSO2-2026-5077': 'security-announcements/security-advisories/2026/WSO2-2026-5077.md' @@ -92,6 +94,7 @@ nav: - 'WSO2-2025-4897': 'security-announcements/security-advisories/2026/WSO2-2025-4897.md' - 'WSO2-2025-4891': 'security-announcements/security-advisories/2026/WSO2-2025-4891.md' - 'WSO2-2025-4849': 'security-announcements/security-advisories/2026/WSO2-2025-4849.md' + - 'WSO2-2026-4844': 'security-announcements/security-advisories/2026/WSO2-2026-4844.md' - 'WSO2-2025-4829': 'security-announcements/security-advisories/2026/WSO2-2025-4829.md' - 'WSO2-2025-4800': 'security-announcements/security-advisories/2026/WSO2-2025-4800.md' - 'WSO2-2025-4771': 'security-announcements/security-advisories/2026/WSO2-2025-4771.md' @@ -102,6 +105,7 @@ nav: - 'WSO2-2025-4684': 'security-announcements/security-advisories/2026/WSO2-2025-4684.md' - 'WSO2-2025-4672': 'security-announcements/security-advisories/2026/WSO2-2025-4672.md' - 'WSO2-2025-4619': 'security-announcements/security-advisories/2026/WSO2-2025-4619.md' + - 'WSO2-2026-4608': 'security-announcements/security-advisories/2026/WSO2-2026-4608.md' - 'WSO2-2025-4597': 'security-announcements/security-advisories/2026/WSO2-2025-4597.md' - 'WSO2-2025-4583': 'security-announcements/security-advisories/2026/WSO2-2025-4583.md' - 'WSO2-2025-4577': 'security-announcements/security-advisories/2026/WSO2-2025-4577.md' @@ -125,6 +129,7 @@ nav: - 'WSO2-2025-4316': 'security-announcements/security-advisories/2026/WSO2-2025-4316.md' - 'WSO2-2025-4306': 'security-announcements/security-advisories/2026/WSO2-2025-4306.md' - 'WSO2-2025-4251': 'security-announcements/security-advisories/2026/WSO2-2025-4251.md' + - 'WSO2-2025-4227': 'security-announcements/security-advisories/2026/WSO2-2025-4227.md' - 'WSO2-2025-4195': 'security-announcements/security-advisories/2026/WSO2-2025-4195.md' - 'WSO2-2025-4193': 'security-announcements/security-advisories/2026/WSO2-2025-4193.md' - 'WSO2-2025-4177': 'security-announcements/security-advisories/2026/WSO2-2025-4177.md'