Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ category: security-announcements
* [WSO2-2026-5328]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5328)
* [WSO2-2026-5236]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5236)
* [WSO2-2026-5212]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5212)
* [WSO2-2026-5174]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5174)
* [WSO2-2026-5164]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5164)
* [WSO2-2026-5146]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5146)
* [WSO2-2026-5100]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5100)
* [WSO2-2026-5077]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-5077)
Expand All @@ -23,6 +25,7 @@ category: security-announcements
* [WSO2-2025-4897]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4897)
* [WSO2-2025-4891]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4891)
* [WSO2-2025-4849]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4849)
* [WSO2-2026-4844]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-4844)
* [WSO2-2025-4829]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4829)
* [WSO2-2025-4800]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4800)
* [WSO2-2025-4771]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4771)
Expand All @@ -33,6 +36,7 @@ category: security-announcements
* [WSO2-2025-4684]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4684)
* [WSO2-2025-4672]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4672)
* [WSO2-2025-4619]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4619)
* [WSO2-2026-4608]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2026-4608)
* [WSO2-2025-4597]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4597)
* [WSO2-2025-4583]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4583)
* [WSO2-2025-4577]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4577)
Expand All @@ -56,6 +60,7 @@ category: security-announcements
* [WSO2-2025-4316]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4316)
* [WSO2-2025-4306]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4306)
* [WSO2-2025-4251]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4251)
* [WSO2-2025-4227]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4227)
* [WSO2-2025-4195]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4195)
* [WSO2-2025-4193]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4193)
* [WSO2-2025-4177]({{#base_path#}}/security-announcements/security-advisories/2026/WSO2-2025-4177)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
---
title: Security Advisory WSO2-2025-4227/CVE-2025-5802
category: security-announcements
published: "July 04, 2026"
version: "1.0"
severity: "Medium"
cvss: "5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)"
---

# Security Advisory WSO2-2025-4227/CVE-2025-5802

<p class="doc-info">Published: July 04, 2026</p>
<p class="doc-info">Updated: July 04, 2026</p>
<p class="doc-info">Version: 1.0</p>
<p class="doc-info">Severity: Medium</p>
<p class="doc-info">CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)</p>
<p class="doc-info">CVE IDs: <a href="https://www.cve.org/CVERecord?id=CVE-2025-5802">CVE-2025-5802</a></p>
---

### AFFECTED PRODUCTS
* WSO2 API Control Plane: 4.6.0, 4.5.0
* WSO2 API Manager: 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0
* WSO2 Identity Server: 7.2.0, 7.1.0, 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0
* WSO2 Identity Server as Key Manager: 5.10.0
* WSO2 Open Banking AM: 2.0.0
* WSO2 Open Banking IAM: 2.0.0
* WSO2 Traffic Manager: 4.6.0, 4.5.0
* WSO2 Universal Gateway: 4.6.0, 4.5.0


### OVERVIEW
Potential username enumeration in self registration flow.


### DESCRIPTION
In the self-registration flow, attempting to sign up with a username that already exists triggers an error message indicating that the username is in use. This behavior can inadvertently reveal whether a username is registered, leading to username enumeration.


### IMPACT
The discovery of valid usernames can increase the risk of brute force attacks, social engineering attacks, and information leakage. As an example, attackers can use the list of usernames to craft targeted phishing emails or other social engineering attacks to trick users into divulging sensitive information.


### SOLUTION



#### Community Users (Open Source)
Apply the relevant fixes to your product using the public fix(es) provided below.

* [https://github.com/wso2-extensions/identity-governance/pull/1097](https://github.com/wso2-extensions/identity-governance/pull/1097)
* [https://github.com/wso2/product-apim/pull/14023](https://github.com/wso2/product-apim/pull/14023)
* [https://github.com/wso2/carbon-apimgt/pull/13650](https://github.com/wso2/carbon-apimgt/pull/13650)

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).


#### Support Subscription Holders

Update your product to the specified update level or a higher update level to apply the fix.

!!! info todo
**WSO2 Support Subscription Holders may use [WSO2 Updates](https://wso2.com/updates/) in order to apply the fix.**

| Product Name | Product Version | Update Level |
| ----------------------------------- | --------------- | ------------ |
| WSO2 API Control Plane | 4.6.0 | 18 |
| WSO2 API Control Plane | 4.5.0 | 56 |
| WSO2 API Manager | 4.6.0 | 17 |
| WSO2 API Manager | 4.5.0 | 55 |
| WSO2 API Manager | 4.4.0 | 72 |
| WSO2 API Manager | 4.3.0 | 112 |
| WSO2 API Manager | 4.2.0 | 200 |
| WSO2 API Manager | 4.1.0 | 262 |
| WSO2 API Manager | 4.0.0 | 379 |
| WSO2 API Manager | 3.2.1 | 96 |
| WSO2 API Manager | 3.2.0 | 458 |
| WSO2 API Manager | 3.2.0 | 478 |
| WSO2 API Manager | 3.1.0 | 354 |
| WSO2 Identity Server | 7.2.0 | 3 |
| WSO2 Identity Server | 7.1.0 | 41 |
| WSO2 Identity Server | 7.0.0 | 133 |
| WSO2 Identity Server | 6.1.0 | 234 |
| WSO2 Identity Server | 6.1.0 | 257 |
| WSO2 Identity Server | 6.0.0 | 257 |
| WSO2 Identity Server | 5.11.0 | 430 |
| WSO2 Identity Server | 5.10.0 | 383 |
| WSO2 Identity Server as Key Manager | 5.10.0 | 374 |
| WSO2 Open Banking AM | 2.0.0 | 403 |
| WSO2 Open Banking IAM | 2.0.0 | 423 |
| WSO2 Traffic Manager | 4.6.0 | 17 |
| WSO2 Traffic Manager | 4.5.0 | 54 |
| WSO2 Universal Gateway | 4.6.0 | 17 |
| WSO2 Universal Gateway | 4.5.0 | 55 |

After applying the provided update or public PR to the affected product versions, follow the instructions below to apply the required configurations for the respective product to fully mitigate the identified vulnerability.

**WSO2 Identity Server 7.2.0, 7.1.0 and 7.0.0**

In the Console, navigate to Login & Registration and uncheck "Display message if username unavailable" with account verification enabled. (This configuration was already available in 7.1.0 upwards and is now extended to cover additional flows.)

**WSO2 Identity Server 6.1.0 and 6.0.0**

In the Carbon Management Console, navigate to `Home > Identity > Identity Providers > Resident > User Onboarding > Self Registration`. Uncheck the newly introduced configuration "Display message if username unavailable" with account confirmation enabled.

**WSO2 Identity Server 5.11.0**

In the Carbon Management Console, navigate to `Home > Identity > Identity Providers > Resident > User Onboarding > Self Registration`. Uncheck the newly introduced configuration "Display message if username unavailable".

**WSO2 Identity Server 5.10.0**

In the `Carbon Management Console, navigate to Home > Identity > Identity Providers > Resident > Account Management Policies > User Self Registration`. Uncheck the newly introduced configuration "Display message if username unavailable" with account confirmation enabled.

**WSO2 API Manager 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0 and 4.6.0**

In the `Carbon Management Console, navigate to Main > Home > Identity > Identity Providers > Resident > User Onboarding > Self Registration`. Uncheck the newly introduced configuration "Display message if username unavailable" and check “Send sign up confirmation email” and “Lock user account on creation” configurations with account verification via email enabled.


Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
---
title: WSO2-2026-4608
---

# WSO2-2026-4608

Content to be added.
---
title: Security Advisory WSO2-2026-4608/CVE-2026-3863
category: security-announcements
published: "July 04, 2026"
version: "1.0"
severity: "Medium"
cvss: "4.9"
---
Comment thread
anjai94 marked this conversation as resolved.

# Security Advisory WSO2-2026-4608/CVE-2026-3863

<p class="doc-info">Published: July 04, 2026</p>
<p class="doc-info">Updated: July 04, 2026</p>
<p class="doc-info">Version: 1.0</p>
<p class="doc-info">Severity: Medium</p>
<p class="doc-info">CVSS Score: 4.9</p>
<p class="doc-info">CVE IDs: <a href="https://www.cve.org/CVERecord?id=CVE-2026-3863">CVE-2026-3863</a></p>
---

### AFFECTED PRODUCTS
* WSO2 API Control Plane: 4.6.0, 4.5.0
* WSO2 API Manager: 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 3.2.1, 3.2.0
* WSO2 Traffic Manager: 4.6.0, 4.5.0
* WSO2 Universal Gateway: 4.6.0, 4.5.0


### OVERVIEW
Authenticated Denial-of-Service (DoS) vulnerability.


### DESCRIPTION
An authenticated user with publisher privileges can submit a URL referencing a large file. Processing this file can lead to uncontrolled memory consumption, potentially resulting in an out-of-memory condition.


### IMPACT
A user with publisher privileges can exploit this vulnerability. A successful exploitation could result in the complete unavailability of the service.


### SOLUTION



#### Community Users (Open Source)
Apply the relevant fixes to your product using the public fix(es) provided below.

* [https://github.com/wso2/product-apim/pull/14151](https://github.com/wso2/product-apim/pull/14151)
* [https://github.com/wso2/carbon-apimgt/pull/13784](https://github.com/wso2/carbon-apimgt/pull/13784)

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).


#### Support Subscription Holders

Update your product to the specified update level or a higher update level to apply the fix.

!!! info todo
**WSO2 Support Subscription Holders may use [WSO2 Updates](https://wso2.com/updates/) in order to apply the fix.**

| Product Name | Product Version | Update Level |
| ---------------------- | --------------- | ------------ |
| WSO2 API Control Plane | 4.6.0 | 25 |
| WSO2 API Control Plane | 4.5.0 | 61 |
| WSO2 API Manager | 4.6.0 | 24 |
| WSO2 API Manager | 4.5.0 | 60 |
| WSO2 API Manager | 4.4.0 | 71 |
| WSO2 API Manager | 4.4.0 | 75 |
| WSO2 API Manager | 4.3.0 | 110 |
| WSO2 API Manager | 4.2.0 | 199 |
| WSO2 API Manager | 4.1.0 | 259 |
| WSO2 API Manager | 3.2.1 | 93 |
| WSO2 API Manager | 3.2.0 | 474 |
| WSO2 Traffic Manager | 4.6.0 | 24 |
| WSO2 Traffic Manager | 4.5.0 | 58 |
| WSO2 Universal Gateway | 4.6.0 | 24 |
| WSO2 Universal Gateway | 4.5.0 | 60 |

After applying the provided update or public PR to the affected product versions, it is necessary to follow the below given instruction.

This update resolves the issue by enforcing a default file upload limit of 10 MB. To adjust this limit, you can modify the `<PRODUCT HOME>/repository/conf/deployment.toml` file. Apply the following configurations to increase or decrease the default file size limit as part of the security update:

* For WSO2 APIM 3.2.0, 3.2.1:

```toml
[apim.publisher.import_definition_file_size_limit]
oas=20
wsdl=20
```

For WSO2 APIM 4.1.0, 4.2.0, 4.3.0, 4.4.0:

```toml
[apim.publisher.import_definition_file_size_limit]
oas=20
wsdl=20
async=20
```

* For WSO2 APIM 4.5.0:

```toml
[apim.publisher.import_definition_file_size_limit]
oas=20
wsdl=20
async=20
graphql=20
```

* For WSO2 APIM 4.6.0:

```toml
[apim.publisher.import_definition_file_size_limit]
oas=20
wsdl=20
async=20
graphql=20
mcp=20
```

The aforementioned values represent the maximum file size limit in megabytes (MB) for importing API definitions through a URL across OAS, Async, WSDL, GraphQL, and MCP formats.
Loading