{"timestamp":"2026-06-26T16:09:25.936561Z","id":"CVE-2026-2053","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests.

Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE-918

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5072/

[{"vendor":"WSO2","product":"WSO2 API Manager","defaultStatus":"unaffected","versions":[{"version":"0","lessThan":"3.1.0","versionType":"custom","status":"unknown"},{"version":"3.1.0","lessThan":"3.1.0.360","versionType":"custom","status":"affected"},{"version":"3.2.0","lessThan":"3.2.0.465","versionType":"custom","status":"affected"},{"version":"3.2.1","lessThan":"3.2.1.84","versionType":"custom","status":"affected"},{"version":"4.0.0","lessThan":"4.0.0.385","versionType":"custom","status":"affected"},{"version":"4.2.0","lessThan":"4.2.0.189","versionType":"custom","status":"affected"}]}]