Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-13475
PUBLISHED
More InfoOfficial Page
Assigner-WSO2
Assigner Org ID-ed10eef1-636d-4fbe-9993-6890dfa878f8
View Known Exploited Vulnerability (KEV) details
Published At-04 Jul, 2026 | 12:49
Updated At-04 Jul, 2026 | 12:49
Rejected At-
▼CVE Numbering Authority (CNA)
Cross-Tenant Access via Application Consent Mismanagement in Multiple WSO2 Products Allows Unauthorized Data Exposure

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing. This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify information without explicit user authorization. This can lead to unauthorized data access and privacy violations. This vulnerability has no impact if the deployment does not support multi-tenancy.

Affected Products
Vendor
WSO2 LLCWSO2
Product
WSO2 Identity Server
Default Status
unaffected
Versions
Affected
  • From 5.10.0 before 5.10.0.382 (custom)

unknown

  • From 0 before 5.10.0 (custom)
Vendor
WSO2 LLCWSO2
Product
WSO2 API Manager
Default Status
unaffected
Versions
Affected
  • From 3.2.0 before 3.2.0.457 (custom)
  • From 3.2.1 before 3.2.1.76 (custom)

unknown

  • From 0 before 3.2.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-288CWE-288: Access of Unprotected Resource
Type: CWE
CWE ID: CWE-288
Description: CWE-288: Access of Unprotected Resource
Metrics
VersionBase scoreBase severityVector
3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-35CAPEC-35 CAPEC-35: Accessing Unprotected Resources
CAPEC ID: CAPEC-35
Description: CAPEC-35 CAPEC-35: Accessing Unprotected Resources
Solutions

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-1613/#solution

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-1613/
vendor-advisory
Hyperlink: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-1613/
Resource:
vendor-advisory
Details not found