CVE Vulnerabilities

CVE-2025-13475

Authentication Bypass Using an Alternate Path or Channel

Published: Jul 04, 2026 | Modified: Jul 09, 2026
CVSS 3.x
7.3
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
root.io logo minimus.io logo echo.ai logo

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing.

This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify information without explicit user authorization. This can lead to unauthorized data access and privacy violations. This vulnerability has no impact if the deployment does not support multi-tenancy.

Weakness

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Affected Software

NameVendorStart VersionEnd Version
Api_managerWso23.2.0 (including)3.2.0.457 (excluding)
Api_managerWso23.2.1 (including)3.2.1.76 (excluding)

Potential Mitigations

References