Description

A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that is not part of the default WSO2 product configuration. * At least one custom role exists with non-default permissions. * The attacker has knowledge of the custom role and the internal attribute used in the deployment. Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms.

INFO

Published Date :

2025-05-30T14:54:32.417Z

Last Modified :

2025-12-03T07:47:35.374Z

Source :

WSO2
AFFECTED PRODUCTS

The following products are affected by CVE-2024-7096 vulnerability.

Vendors Products
Wso2
  • Api Manager
  • Enterprise Mobility Manager
  • Identity Server
  • Identity Server As Key Manager
  • Open Banking Am
  • Open Banking Iam
  • Open Banking Km
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-7096.

URL Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3573/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact