{"id":"CVE-2025-9804","details":"An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.\n\nThis vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.","modified":"2026-04-10T05:37:52.891011Z","published":"2025-10-16T13:15:42.130Z","references":[{"type":"ADVISORY","url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wso2-attic/analytics-is","events":[{"introduced":"0"},{"last_affected":"f791dcc91959b91e64f3bab2c5e0933cca701447"},{"introduced":"0"},{"last_affected":"0208f433e3df574261342b3e2352a5bc1a0bcf90"},{"introduced":"0"},{"last_affected":"20468e646534067f106695ea989956a853b4c396"},{"introduced":"0"},{"last_affected":"9347958cacabfbeb09bb743abd2f92b2e56731ec"},{"introduced":"0"},{"last_affected":"bb7e011d81a237aa5e74265c33466ae254f7fdb6"},{"introduced":"0"},{"last_affected":"bd89e4586d7e8c240c93b03b9acb3a1e93078781"},{"introduced":"0"},{"last_affected":"42f3111ec596b0d8e8ac32cf33bc4261f53a95bb"},{"introduced":"0"},{"last_affected":"c65432eeff55c8da96ad0a412dff9a0aa714f564"},{"introduced":"0"},{"last_affected":"f791dcc91959b91e64f3bab2c5e0933cca701447"},{"introduced":"0"},{"last_affected":"0208f433e3df574261342b3e2352a5bc1a0bcf90"},{"introduced":"0"},{"last_affected":"bb7e011d81a237aa5e74265c33466ae254f7fdb6"},{"introduced":"0"},{"last_affected":"bd89e4586d7e8c240c93b03b9acb3a1e93078781"},{"introduced":"0"},{"last_affected":"0208f433e3df574261342b3e2352a5bc1a0bcf90"},{"introduced":"0"},{"last_affected":"bb7e011d81a237aa5e74265c33466ae254f7fdb6"},{"introduced":"0"},{"last_affected":"bd89e4586d7e8c240c93b03b9acb3a1e93078781"},{"introduced":"0"},{"last_affected":"42f3111ec596b0d8e8ac32cf33bc4261f53a95bb"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.2.0"},{"introduced":"0"},{"last_affected":"5.3.0"},{"introduced":"0"},{"last_affected":"5.4.0"},{"introduced":"0"},{"last_affected":"5.4.1"},{"introduced":"0"},{"last_affected":"5.5.0"},{"introduced":"0"},{"last_affected":"5.6.0"},{"introduced":"0"},{"last_affected":"5.7.0"},{"introduced":"0"},{"last_affected":"5.8.0"},{"introduced":"0"},{"last_affected":"5.2.0"},{"introduced":"0"},{"last_affected":"5.3.0"},{"introduced":"0"},{"last_affected":"5.5.0"},{"introduced":"0"},{"last_affected":"5.6.0"},{"introduced":"0"},{"last_affected":"5.3.0"},{"introduced":"0"},{"last_affected":"5.5.0"},{"introduced":"0"},{"last_affected":"5.6.0"},{"introduced":"0"},{"last_affected":"5.7.0"}]}},{"type":"GIT","repo":"https://github.com/wso2/product-apim","events":[{"introduced":"0"},{"last_affected":"f84a64d6683176f3ffb57fa262f3035b69781f2f"},{"introduced":"0"},{"last_affected":"2d31e24faeeb97e70d7f19033ccff2f843f8c892"},{"introduced":"0"},{"last_affected":"6307349bd09fd6fdf9cfe15e170584403fa7e6be"},{"introduced":"0"},{"last_affected":"5cdc3f8a5ea212c3bf231cb710ea3436e9aad1d7"},{"introduced":"0"},{"last_affected":"828807c24e02a88a91a70e6f9dbc6eeb58be3eaf"},{"introduced":"0"},{"last_affected":"a87463944acbc28f14c0af2a32dc30310147a0be"},{"introduced":"0"},{"last_affected":"727d091683c8199c37f2d19ab3198abee6553904"},{"introduced":"0"},{"last_affected":"2971de274564b622974de831403e9688a4a76c14"},{"introduced":"0"},{"last_affected":"e4956e9301b1c26eb06e80ec5c86628154b6ab55"},{"introduced":"0"},{"last_affected":"cf00d9e6cb083f94abae11818794f62cd5c94079"},{"introduced":"0"},{"last_affected":"9f152cad69fafd010fae1ed02b636409f0860b91"},{"introduced":"0"},{"last_affected":"572610e8e6564a647044bdb454eda658e1253352"},{"introduced":"0"},{"last_affected":"6e7a9db24a575f1f4a5bc4f4cbb41687c308c466"},{"introduced":"0"},{"last_affected":"c97258caec907ea69c289c80ff708a214c3372dc"},{"introduced":"0"},{"last_affected":"f84a64d6683176f3ffb57fa262f3035b69781f2f"},{"introduced":"0"},{"last_affected":"2d31e24faeeb97e70d7f19033ccff2f843f8c892"},{"introduced":"0"},{"last_affected":"6307349bd09fd6fdf9cfe15e170584403fa7e6be"},{"introduced":"0"},{"last_affected":"5cdc3f8a5ea212c3bf231cb710ea3436e9aad1d7"},{"introduced":"0"},{"last_affected":"828807c24e02a88a91a70e6f9dbc6eeb58be3eaf"},{"introduced":"0"},{"last_affected":"2971de274564b622974de831403e9688a4a76c14"},{"introduced":"0"},{"last_affected":"e4956e9301b1c26eb06e80ec5c86628154b6ab55"},{"introduced":"0"},{"last_affected":"5cdc3f8a5ea212c3bf231cb710ea3436e9aad1d7"},{"introduced":"0"},{"last_affected":"2d31e24faeeb97e70d7f19033ccff2f843f8c892"},{"introduced":"0"},{"last_affected":"2d31e24faeeb97e70d7f19033ccff2f843f8c892"},{"introduced":"0"},{"last_affected":"f84a64d6683176f3ffb57fa262f3035b69781f2f"},{"introduced":"0"},{"last_affected":"f84a64d6683176f3ffb57fa262f3035b69781f2f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.5.0-NA"},{"introduced":"0"},{"last_affected":"2.0.0"},{"introduced":"0"},{"last_affected":"2.1.0"},{"introduced":"0"},{"last_affected":"2.2.0"},{"introduced":"0"},{"last_affected":"2.5.0"},{"introduced":"0"},{"last_affected":"2.6.0"},{"introduced":"0"},{"last_affected":"3.0.0"},{"introduced":"0"},{"last_affected":"3.1.0"},{"introduced":"0"},{"last_affected":"3.2.0"},{"introduced":"0"},{"last_affected":"4.0.0"},{"introduced":"0"},{"last_affected":"4.1.0-NA"},{"introduced":"0"},{"last_affected":"4.2.0-NA"},{"introduced":"0"},{"last_affected":"4.3.0-NA"},{"introduced":"0"},{"last_affected":"4.4.0-NA"},{"introduced":"0"},{"last_affected":"4.5.0-NA"},{"introduced":"0"},{"last_affected":"2.0.0"},{"introduced":"0"},{"last_affected":"2.1.0"},{"introduced":"0"},{"last_affected":"2.2.0"},{"introduced":"0"},{"last_affected":"2.5.0"},{"introduced":"0"},{"last_affected":"3.1.0"},{"introduced":"0"},{"last_affected":"3.2.0"},{"introduced":"0"},{"last_affected":"2.2.0"},{"introduced":"0"},{"last_affected":"2.0.0"},{"introduced":"0"},{"last_affected":"2.0.0"},{"introduced":"0"},{"last_affected":"4.5.0"},{"introduced":"0"},{"last_affected":"4.5.0"}]}}],"versions":["4.0.0-beta","test-tag-1.9.0-Alpha","v1.9.0","v1.9.0-Alpha","v1.9.0-Beta","v1.9.0-Beta-2","v1.9.0-Beta-3","v1.9.0-M2","v2.0.0","v2.0.0-ALPHA","v2.0.0-M4","v2.0.0-rc1","v2.0.0-rc2","v2.0.0-rc3","v2.0.0-rc4","v2.0.0-rc5","v2.1.0","v2.1.0-alpha","v2.1.0-rc5","v2.1.0-update1","v2.1.0-update10","v2.1.0-update11","v2.1.0-update12","v2.1.0-update13","v2.1.0-update14","v2.1.0-update2","v2.1.0-update3","v2.1.0-update5","v2.1.0-update7","v2.1.0-update8","v2.1.0-update9","v2.2.0","v2.2.0-update1","v2.2.0-update2","v2.2.0-update3","v2.2.0-update4","v2.2.0-update5","v2.2.0-update6","v2.2.0-update7","v2.5.0","v2.5.0-Alpha","v2.5.0-Beta","v2.5.0-rc1","v2.5.0-rc2","v2.5.0-rc3","v2.5.0-rc4","v2.6.0","v2.6.0-alpha","v2.6.0-alpha2","v2.6.0-beta","v2.6.0-beta2","v2.6.0-m1","v2.6.0-m2","v2.6.0-rc1","v2.6.0-rc2","v2.6.0-rc3","v3.0.0","v3.0.0-alpha","v3.0.0-alpha2","v3.0.0-beta","v3.0.0-m32","v3.0.0-m33","v3.0.0-m34","v3.0.0-m35","v3.0.0-rc1","v3.0.0-rc2","v3.0.0-rc3","v3.1.0","v3.1.0-alpha","v3.1.0-beta","v3.1.0-m1","v3.1.0-m2","v3.1.0-m3","v3.1.0-m4","v3.1.0-m5","v3.1.0-rc1","v3.1.0-rc2","v3.1.0-rc3","v3.2.0","v3.2.0-alpha","v3.2.0-beta","v3.2.0-m1","v3.2.0-rc1","v3.2.0-rc2","v3.2.0-rc3","v3.2.0-rc4","v3.2.0-rc5","v3.2.0-rc6","v4.0.0","v4.0.0-alpha","v4.0.0-beta","v4.0.0-m1","v4.0.0-m2","v4.0.0-m3","v4.0.0-m4","v4.0.0-m5","v4.0.0-m6","v4.0.0-m7","v4.0.0-m8","v4.0.0-rc","v4.1.0","v4.1.0-alpha","v4.1.0-beta","v4.1.0-m1","v4.1.0-m2","v4.1.0-m3","v4.1.0-m4","v4.1.0-rc","v4.1.0-rc2","v4.1.0-rc3","v4.2.0","v4.2.0-alpha","v4.2.0-beta","v4.2.0-m1","v4.2.0-rc","v4.2.0-rc2","v4.3.0","v4.3.0-alpha","v4.3.0-alpha2","v4.3.0-beta","v4.3.0-m2","v4.3.0-rc","v4.3.0-rc2","v4.4.0","v4.4.0-alpha","v4.4.0-beta","v4.4.0-m1","v4.4.0-rc","v4.4.0-rc2","v4.5.0-acp","v4.5.0-acp-alpha","v4.5.0-acp-beta","v4.5.0-acp-m1","v4.5.0-acp-rc","v4.5.0-acp-rc2","v4.5.0-beta","v4.5.0-gw-alpha","v4.5.0-gw-beta","v4.5.0-gw-m1","v4.5.0-gw-rc","v4.5.0-m1","v4.5.0-m2","v4.5.0-rc","v4.5.0-tm","v4.5.0-tm-alpha","v4.5.0-tm-beta","v4.5.0-tm-m1","v4.5.0-tm-rc","v4.5.0-tm-rc2","v5.2.0-beta2","v5.2.0-latest","v5.3.0","v5.3.0-alpha2","v5.3.0-rc1","v5.3.0-rc2","v5.3.0-rc3","v5.4.0","v5.4.0-beta","v5.4.0-update1","v5.4.0-update4","v5.4.1","v5.5.0","v5.5.0-alpha","v5.5.0-alpha2","v5.5.0-alpha3","v5.5.0-beta","v5.5.0-rc1","v5.5.0-rc2","v5.6.0","v5.6.0-rc1","v5.6.0-rc2","v5.6.0-rc3","v5.7.0","v5.7.0-alpha","v5.7.0-alpha2","v5.7.0-alpha3","v5.7.0-beta","v5.7.0-beta2","v5.7.0-beta3","v5.7.0-beta4","v5.7.0-beta5","v5.7.0-m3","v5.7.0-m4","v5.7.0-m5","v5.7.0-rc1","v5.7.0-rc2","v5.7.0-rc3","v5.8.0","v5.8.0-alpha","v5.8.0-alpha2","v5.8.0-alpha3","v5.8.0-alpha4","v5.8.0-alpha5","v5.8.0-alpha6","v5.8.0-beta","v5.8.0-beta2","v5.8.0-beta3","v5.8.0-beta4","v5.8.0-beta5","v5.8.0-m1","v5.8.0-m10","v5.8.0-m11","v5.8.0-m12","v5.8.0-m13","v5.8.0-m14","v5.8.0-m15","v5.8.0-m16","v5.8.0-m17","v5.8.0-m18","v5.8.0-m19","v5.8.0-m2","v5.8.0-m20","v5.8.0-m21","v5.8.0-m22","v5.8.0-m24","v5.8.0-m25","v5.8.0-m26","v5.8.0-m3","v5.8.0-m4","v5.8.0-m5","v5.8.0-m6","v5.8.0-m7","v5.8.0-m8","v5.8.0-m9","v5.8.0-rc1","v5.8.0-rc2","v5.8.0-rc3"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"6.1.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"5.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9804.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}