CVE-2026-2053 | The WSO2 API Manager's message flow component, when processi… | CVSS 8.3 HIGH

Description

The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests. Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.

Metadata

CVE ID: CVE-2026-2053
State: PUBLISHED
Assigner: WSO2
Reserved: 2026-02-06 06:12 UTC
Published: 2026-06-26 07:26 UTC
Last updated: 2026-06-26 16:10 UTC
Primary CWE: CWE-918
CWE-918 Server-Side Request Forgery (SSRF)
Vendor / Product: WSO2 / WSO2 API Manager
Sources: cve.org · NVD

Severity & Metrics

8.3 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
WSO2	WSO2 API Manager	—	0 < 3.1.0, 3.1.0 < 3.1.0.360, 3.2.0 < 3.2.0.465, 3.2.1 < 3.2.1.84 …

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	CWE-918 Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.3	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References (1)

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5072/