CVE-2025-9152

Name of the Vulnerable Software and Affected Versions WSO2 API Manager (affected versions not specified)

Description An improper privilege management issue exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations. The affected endpoint is /keymanager-operations/DCR. The vulnerable operation involves generating access tokens. The access tokens are generated with elevated privileges.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.