In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing.
This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify information without explicit user authorization. This can lead to unauthorized data access and privacy violations. This vulnerability has no impact if the deployment does not support multi-tenancy.
Metrics
Affected Vendors & Products
References
History
Sat, 04 Jul 2026 14:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Wso2
Wso2 wso2 Api Manager Wso2 wso2 Identity Server |
|
| Vendors & Products |
Wso2
Wso2 wso2 Api Manager Wso2 wso2 Identity Server |
Sat, 04 Jul 2026 13:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing. This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify information without explicit user authorization. This can lead to unauthorized data access and privacy violations. This vulnerability has no impact if the deployment does not support multi-tenancy. | |
| Title | Cross-Tenant Access via Application Consent Mismanagement in Multiple WSO2 Products Allows Unauthorized Data Exposure | |
| Weaknesses | CWE-288 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: WSO2
Published:
Updated: 2026-07-04T12:49:06.782Z
Reserved: 2025-11-20T12:17:18.234Z
Link: CVE-2025-13475
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-04T14:30:04Z