The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service condition.

Successful exploitation of this vulnerability can disrupt the API Gateway, preventing legitimate API traffic from being processed and impacting complete service availability. The denial of service is persistent, requiring manual intervention to restore normal operations.

Project Subscriptions

Vendors Products
Wso2 Api Control Plane Subscribe
Wso2 Api Manager Subscribe
Wso2 Traffic Manager Subscribe
Wso2 Universal Gateway Subscribe
Advisories

No advisories yet.

Fixes

Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2026-5236/#solution


Workaround

No workaround given by the vendor.

History

Mon, 06 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
Description The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service condition. Successful exploitation of this vulnerability can disrupt the API Gateway, preventing legitimate API traffic from being processed and impacting complete service availability. The denial of service is persistent, requiring manual intervention to restore normal operations.
Title Denial of Service via Malicious JSON Payloads in Throttling Events in Multiple WSO2 Products Causing Persistent Service Disruption
First Time appeared Wso2
Wso2 wso2 Api Control Plane
Wso2 wso2 Api Manager
Wso2 wso2 Traffic Manager
Wso2 wso2 Universal Gateway
Weaknesses CWE-707
CPEs cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*
Vendors & Products Wso2
Wso2 wso2 Api Control Plane
Wso2 wso2 Api Manager
Wso2 wso2 Traffic Manager
Wso2 wso2 Universal Gateway
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-07-06T11:03:48.847Z

Reserved: 2026-03-16T05:47:35.673Z

Link: CVE-2026-4249

cve-icon Vulnrichment

Updated: 2026-07-06T11:03:28.003Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T11:30:04Z

Weaknesses