Introduction
Attackers can obtain administrative access to WSO2 API Manager environments by exploiting a critical flaw in the Dynamic Client Registration (DCR) endpoint. This vulnerability allows unauthenticated users to generate access tokens with elevated privileges, bypassing all intended security controls. For organizations relying on WSO2 API Manager to secure APIs in banking, healthcare, or government, the risk is immediate and severe.
WSO2 is a major open source middleware vendor whose API Manager product is widely adopted for API lifecycle management, security, and integration. Its technology underpins digital infrastructure for thousands of enterprises globally, making vulnerabilities in its core components highly impactful.
Technical Information
CVE-2025-9152 is a critical improper privilege management vulnerability (CWE-269) affecting the keymanager-operations Dynamic Client Registration (DCR) endpoint in WSO2 API Manager. The DCR endpoint is designed to allow programmatic registration of OAuth clients, which is essential for automated and scalable API integrations.
The vulnerability is due to missing authentication and authorization checks on the DCR endpoint. Specifically, the endpoint does not verify the identity of the requester or enforce privilege restrictions on who can register new OAuth clients. As a result, any remote attacker can send a crafted HTTP POST request to the DCR endpoint, supplying arbitrary client metadata (such as scopes, grant types, and redirect URIs). The endpoint processes these requests without validation and issues OAuth client credentials.
With these credentials, the attacker can request access tokens from the API Manager's token endpoint. Because the registration process allows specification of privileged scopes or grant types, the resulting tokens may grant administrative or otherwise unauthorized access to API management functions. This enables a full compromise of the API management environment, including the ability to modify API configurations, access sensitive data, and disrupt service operations.
No public code snippets or proof of concept exploit are available at this time. The attack requires only remote network access and does not depend on any prior authentication or user interaction.
Affected Systems and Versions
The vulnerability affects WSO2 API Manager. The specific affected versions are not detailed in the available advisory or CVE entry. Organizations should consult the official WSO2 advisory for up-to-date information on affected version ranges and fixed releases:
Vendor Security History
WSO2 has previously faced critical vulnerabilities in its API Manager and related products. Notably, CVE-2022-29464 allowed unauthenticated remote code execution via unrestricted file upload, also due to missing authentication and authorization checks. That vulnerability was rapidly exploited in the wild, with attackers deploying web shells and cryptocurrency miners. WSO2 typically issues advisories and patches promptly, but the recurrence of privilege management flaws indicates ongoing challenges in endpoint security.