CVE-2026-2053
HighCVSS 8.3Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
A vulnerability in the message flow component of WSO2 API Manager allows an unauthenticated attacker to manipulate WS-Addressing headers. The lack of proper validation of these headers enables redirecting server-initiated requests to arbitrary destinations.
Risk Assessment
The risk involves potential unauthorized access to internal network resources or services that are typically inaccessible from external networks. An attacker can exploit the server to perform Server-Side Request Forgery (SSRF) attacks.
Recommendation
Immediately update WSO2 API Manager to a version that fixes this vulnerability. Until the update is applied, implement firewall rules to restrict outgoing server requests and validate WS-Addressing headers at the proxy level.
Original NVD description (English source)
The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests. Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.

