Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-13475

Summary
Assigner-WSO2
Assigner Org ID-ed10eef1-636d-4fbe-9993-6890dfa878f8
Published At-04 Jul, 2026 | 12:49
Updated At-04 Jul, 2026 | 12:49
Rejected At-
Credits

Cross-Tenant Access via Application Consent Mismanagement in Multiple WSO2 Products Allows Unauthorized Data Exposure

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing. This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify information without explicit user authorization. This can lead to unauthorized data access and privacy violations. This vulnerability has no impact if the deployment does not support multi-tenancy.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WSO2
Assigner Org ID:ed10eef1-636d-4fbe-9993-6890dfa878f8
Published At:04 Jul, 2026 | 12:49
Updated At:04 Jul, 2026 | 12:49
Rejected At:
▼CVE Numbering Authority (CNA)
Cross-Tenant Access via Application Consent Mismanagement in Multiple WSO2 Products Allows Unauthorized Data Exposure

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing. This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify information without explicit user authorization. This can lead to unauthorized data access and privacy violations. This vulnerability has no impact if the deployment does not support multi-tenancy.

Affected Products
Vendor
WSO2 LLCWSO2
Product
WSO2 Identity Server
Default Status
unaffected
Versions
Affected
  • From 5.10.0 before 5.10.0.382 (custom)

unknown

  • From 0 before 5.10.0 (custom)
Vendor
WSO2 LLCWSO2
Product
WSO2 API Manager
Default Status
unaffected
Versions
Affected
  • From 3.2.0 before 3.2.0.457 (custom)
  • From 3.2.1 before 3.2.1.76 (custom)

unknown

  • From 0 before 3.2.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-288CWE-288: Access of Unprotected Resource
Type: CWE
CWE ID: CWE-288
Description: CWE-288: Access of Unprotected Resource
Metrics
VersionBase scoreBase severityVector
3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-35CAPEC-35 CAPEC-35: Accessing Unprotected Resources
CAPEC ID: CAPEC-35
Description: CAPEC-35 CAPEC-35: Accessing Unprotected Resources
Solutions

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-1613/#solution

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-1613/
vendor-advisory
Hyperlink: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-1613/
Resource:
vendor-advisory
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:ed10eef1-636d-4fbe-9993-6890dfa878f8
Published At:04 Jul, 2026 | 13:16
Updated At:04 Jul, 2026 | 13:16

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing. This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify information without explicit user authorization. This can lead to unauthorized data access and privacy violations. This vulnerability has no impact if the deployment does not support multi-tenancy.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-288Secondaryed10eef1-636d-4fbe-9993-6890dfa878f8
CWE ID: CWE-288
Type: Secondary
Source: ed10eef1-636d-4fbe-9993-6890dfa878f8
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-1613/ed10eef1-636d-4fbe-9993-6890dfa878f8
N/A
Hyperlink: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-1613/
Source: ed10eef1-636d-4fbe-9993-6890dfa878f8
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found

CVE-2023-30946
Matching Score-4
Assigner-Palantir Technologies
ShareView Details
Matching Score-4
Assigner-Palantir Technologies
CVSS Score-3.5||LOW
EPSS-0.39% / 31.24%
||
7 Day CHG+0.06%
Published-29 Jun, 2023 | 18:49
Updated-28 Oct, 2024 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Issues notification metadata lacks authorization

A security defect was identified in Foundry Issues. If a user was added to an issue on a resource that they did not have access to and consequently could not see, they could query Foundry's Notification API and receive metadata about the issue including the RID of the issue, severity, internal UUID of the author, and the user-defined title of the issue.

Action-Not Available
Vendor-palantirPalantir
Product-foundry_issuescom.palantir.issues:issues
CWE ID-CWE-420
Unprotected Alternate Channel
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
Details not found