WSO2 API Manager – Server-Side Request Forgery (CVE-2026-2053) | Uganda National Computer Emergency Response Team-National Cert

Scope: WSO2 API Manager, Versions 3.1.0, 3.2.0, 3.2.1, 4.0.0, and 4.2.0 Prior to Fixed Product Releases

Severity: High

A server-side request forgery (SSRF) vulnerability in the message flow component of WSO2 API Manager allows an unauthenticated remote attacker to manipulate WS-Addressing headers and assume control over server-initiated outbound network traffic. Successful exploitation permits the attacker to bypass firewall restrictions and internal network segmentation, leveraging the trusted status of the API gateway to perform internal port scanning, pivot into isolated network segments, and exfiltrate sensitive data. Organizations must upgrade immediately to the fixed versions corresponding to their active release branch: 3.1.0.360, 3.2.0.465, 3.2.1.84, 4.0.0.385, or 4.2.0.189. Additionally, administrators should configure strict URL allowlists for all outbound requests, validate WS-Addressing headers, and continuously monitor application traffic logs for anomalous header manipulation attempts.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the GitHub Security Advisory for CVE-2026-2053 and apply the necessary updates.

WSO2 API Manager – Server-Side Request Forgery (CVE-2026-2053)

CVE-2026-57620 in Exclusive Addons Elementor Plugin

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

WSO2 API Manager – Server-Side Request Forgery (CVE-2026-2053)

RELATED ADVISORIES

CVE-2026-57620 in Exclusive Addons Elementor Plugin

Recent Advisories

Categories