Improper Privilege Management in WSO2 API Manager via keymanager-operations DCR Endpoint

WSO2 API Manager's internal Dynamic Client Registration (DCR) endpoint at /keymanager-operations/dcr/register lacks adequate authentication. Several HTTP methods and path variations are missing from the access control configuration, allowing unauthenticated access to read, create, and modify OAuth 2.0 clients.

An unauthenticated attacker can exploit this to obtain full administrative access:

1. Identify a public OAuth client ID (visible in the login page URL)
2. Retrieve the client's client_secret via the unprotected DCR endpoint
3. Modify the client's grant types to enable the client_credentials grant
4. Request an access token with scope=apim:admin to obtain administrative privileges

This results in full administrative access to all WSO2 API Manager REST APIs without any prior credentials, and when combined with authenticated RCE vulnerabilities (CVE-2025-10907, CVE-2025-11093), enables pre-auth remote code execution.

This vulnerability was responsibly disclosed and has been patched by the vendor.

Affected products

• WSO2 API Control Plane 4.5.0
• WSO2 API Manager 3.2.0 - 4.5.0

See also

• @crnkovic: WSO2 #2: The many ways to bypass authentication in WSO2 products
• WSO2: Security Advisory WSO2-2025-4483/CVE-2025-9152