๐Ÿ” CVE Alert

CVE-2026-4249

HIGH 8.6

Denial of Service via Malicious JSON Payloads in Throttling Events in Multiple WSO2 Products Causing Persistent Service Disruption

CVSS Score
8.6
EPSS Score
0.0%
EPSS Percentile
0th

The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service condition. Successful exploitation of this vulnerability can disrupt the API Gateway, preventing legitimate API traffic from being processed and impacting complete service availability. The denial of service is persistent, requiring manual intervention to restore normal operations.

CWE CWE-707
Vendor wso2
Product wso2 universal gateway
Published Jul 6, 2026
Last Updated Jul 6, 2026
Stay Ahead of the Next One

Get instant alerts for wso2 wso2 universal gateway

Be the first to know when new high vulnerabilities affecting wso2 wso2 universal gateway are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

WSO2 / WSO2 Universal Gateway
4.5.0 < 4.5.0.54 4.6.0 < 4.6.0.18 4.7.0 < 4.7.0.2
WSO2 / WSO2 Traffic Manager
4.5.0 < 4.5.0.53 4.6.0 < 4.6.0.18 4.7.0 < 4.7.0.2
WSO2 / WSO2 API Control Plane
4.5.0 < 4.5.0.55 4.6.0 < 4.6.0.19 4.7.0 < 4.7.0.2
WSO2 / WSO2 API Manager
3.2.0 < 3.2.0.470 3.2.1 < 3.2.1.89 4.0.0 < 4.0.0.390 4.1.0 < 4.1.0.254 4.2.0 < 4.2.0.194 4.3.0 < 4.3.0.105 4.4.0 < 4.4.0.69 4.5.0 < 4.5.0.54 4.6.0 < 4.6.0.18 4.7.0 < 4.7.0.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
security.docs.wso2.com: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5236/