๐Ÿ” CVE Alert

CVE-2024-1248

MEDIUM 4.8

Role Overwriting via Silent JIT Provisioning in Multiple WSO2 Products Enables Privilege Escalation

CVSS Score
4.8
EPSS Score
0.0%
EPSS Percentile
0th

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user. Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.

CWE CWE-298
Vendor wso2
Product wso2 api manager
Published Jul 4, 2026
Stay Ahead of the Next One

Get instant alerts for wso2 wso2 api manager

Be the first to know when new medium vulnerabilities affecting wso2 wso2 api manager are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Affected Versions

WSO2 / WSO2 API Manager
3.0.0 < 3.0.0.153 3.1.0 < 3.1.0.267 3.2.0 < 3.2.0.351 4.0.0 < 4.0.0.269 4.1.0 < 4.1.0.169
WSO2 / WSO2 Identity Server
5.8.0 < 5.8.0.101 5.9.0 < 5.9.0.138 5.10.0 < 5.10.0.284 5.11.0 < 5.11.0.321
WSO2 / WSO2 Identity Server as Key Manager
5.9.0 < 5.9.0.148 5.10.0 < 5.10.0.280
WSO2 / WSO2 Open Banking AM
2.0.0 < 2.0.0.313
WSO2 / WSO2 Open Banking IAM
2.0.0 < 2.0.0.333

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
security.docs.wso2.com: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3179/