CVE-2025-13475: Cross-Tenant Access via Application Consent Mismanagement in Multiple WSO2 Products Allows Unauthorized Data Exposure
In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing.
This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify information without explicit user authorization. This can lead to unauthorized data access and privacy violations. This vulnerability has no impact if the deployment does not support multi-tenancy.
Security readout for executives and security teams
Plain-English summary
This is a low-severity WSO2 tenant-isolation issue. In multi-tenant deployments, consent given to a SaaS app in one tenant may be treated as consent for a same-named SaaS app in another tenant. That can expose user data across tenant boundaries without explicit authorization. Deployments without multi-tenancy are stated as unaffected.
Executive priority
Treat this as a targeted privacy and tenant-isolation issue, not a broad emergency. Prioritize organizations running multi-tenant WSO2 deployments, especially where tenant data separation is a contractual or regulatory requirement.
Technical view
The consent management mechanism does not correctly isolate consent scopes by tenant. With low-privileged access and user interaction, a SaaS application sharing a name across tenants may inherit consent intended for another tenant. CVSS is 3.5, with network attack vector, low complexity, low privileges, user interaction required, and low confidentiality impact.
Likely exposure
Exposure appears limited to multi-tenant WSO2 deployments using affected WSO2 Identity Server or WSO2 API Manager versions and SaaS applications with matching names across tenants. Single-tenant deployments are stated as not impacted.
Exploitation context
The bundle does not cite active exploitation, and KEV status is false. Exploitation would require a multi-tenant setup, relevant SaaS application consent flows, low privileges, and user interaction. Evidence is insufficient to claim public exploitation.
Researcher notes
The key research angle is consent scope isolation across tenant boundaries. Validate only whether consent for one tenant can affect a same-named SaaS application in another tenant. The source bundle does not provide patch details or exploitation evidence.
Mitigation direction
Review WSO2 advisory WSO2-2025-1613 for official remediation guidance.
Prioritize assessment of multi-tenant WSO2 environments first.
Identify same-named SaaS applications across tenants.
Review application consent configuration for unintended cross-tenant scope sharing.
Limit multi-tenancy exposure where it is not operationally required.
Validation and detection
Confirm whether the deployment supports multi-tenancy.
Inventory affected WSO2 Identity Server and API Manager versions.
Map SaaS application names across all tenants.
Review consent records for cross-tenant scope reuse.
Check whether any same-named SaaS apps can access unintended user data.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-288: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-288 · source CWE mapping
Authentication Bypass Using an Alternate Path or Channel
Authentication Bypass Using an Alternate Path or Channel represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.