The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests.
Successful exploitation allows an unauthenticated attacker to control the destination of server-initiated requests originating from the WSO2 API Manager. This direct control can enable unauthorized access to internal network resources or services that would typically be inaccessible from external networks.
References
| Link | Resource |
|---|---|
| https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5072/ | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
27 Jun 2026, 19:38
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:* | |
| References | () https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5072/ - Vendor Advisory | |
| First Time |
Wso2
Wso2 api Manager |
26 Jun 2026, 08:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-26 08:16
Updated : 2026-06-27 19:38
NVD link : CVE-2026-2053
Mitre link : CVE-2026-2053
CVE.ORG link : CVE-2026-2053
JSON object : View
Products Affected
wso2
- api_manager
CWE
CWE-918
Server-Side Request Forgery (SSRF)
