PT-2026-39593 · Wso2 · Wso2 Identity Server

Published

2026-05-11

·

Updated

2026-05-27

·

CVE-2025-9973

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions WSO2 Identity Server (affected versions not specified)
Description In multi-organization deployments, the software fails to validate the organization context during the execution of adaptive authentication flows. This allows a malicious actor with configuration privileges in one organization to trigger authentication logic across other organizations and sub-organizations. This flaw enables the bypass of authorization boundaries, potentially leading to privilege escalation, unauthorized access to critical operations and resources, and account takeover across different organizations.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

LPE

Incorrect Authorization

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-9973

Affected Products

Wso2 Identity Server