CVE Catalog

CVE-2026-2053

HighCVSS 8.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile — higher than 13% of all known CVEs

Summary

A vulnerability in the message flow component of WSO2 API Manager allows an unauthenticated attacker to manipulate WS-Addressing headers. The lack of proper validation of these headers enables redirecting server-initiated requests to arbitrary destinations.

Risk Assessment

The risk involves potential unauthorized access to internal network resources or services that are typically inaccessible from external networks. An attacker can exploit the server to perform Server-Side Request Forgery (SSRF) attacks.

Recommendation

Immediately update WSO2 API Manager to a version that fixes this vulnerability. Until the update is applied, implement firewall rules to restrict outgoing server requests and validate WS-Addressing headers at the proxy level.

Original NVD description (English source)

The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests. Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS