lowCVE-2025-13475

CVE-2025-13475 api manager vulnerability

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing. This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify information without explicit user authorization. This can lead to unauthorized data access and privacy violations. This vulnerability has no impact if the deployment does not support multi-tenancy.

Productapi manager
CVSS3.5
EPSSNot scored yet
UpdatedJuly 13, 2026

Quick answer

wso2 api manager should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Review vendor advisory for affected versions.

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

CVE-2025-13475 affects WSO2 API Manager identity and access-control behavior. Apply the relevant WSO2 update level (5.10.0.382, 3.2.0.457, 3.2.1.76) and review multi-tenant SaaS consent isolation before returning the deployment to normal exposure. Affected ranges in the local record are 5.10.0 through before 5.10.0.382; 3.2.0 through before 3.2.0.457; 3.2.1 through before 3.2.1.76.

  1. Inventory every WSO2 API Manager, Identity Server, container image, and update channel tied to the affected deployment.
  2. Compare installed product versions and update levels with the WSO2 advisory ranges for CVE-2025-13475.
  3. Apply the relevant WSO2 update level or a later vendor-supported release: 5.10.0.382, 3.2.0.457, 3.2.1.76.
  4. Review identity provider settings, silent JIT provisioning, tenant configuration, SaaS application names, consent scopes, and role mappings for unsafe overlap.
  5. Temporarily disable risky federated provisioning or multi-tenant consent flows until the patched update is active and verified.
  6. Audit users, roles, consent grants, tenant application mappings, and recent authentication events for unauthorized changes during the exposure window.
  7. Deploy first to staging, run authentication and authorization regression tests, then promote to production with monitoring for role changes and cross-tenant access attempts.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm WSO2 product version and update metadata show 5.10.0.382, 3.2.0.457, 3.2.1.76 or a later fixed update level.
  • Test federated login, JIT provisioning, role assignment, tenant consent, and SaaS app access boundaries using separate users and tenants.
  • Check audit logs for unexpected role overwrites, consent reuse, user data access, or tenant boundary violations after patching.
  • Open the generated Fixnx page and confirm the canonical URL ends with api-manager-cve-2025-13475.
  • Re-run sitemap validation and confirm api-manager-cve-2025-13475 appears once in sitemap.xml with the full CVE-2025-13475 suffix.

Related categories

Trusted references

FAQ

What is affected by CVE-2025-13475?

wso2 api manager should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.