PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-13475 WSO2 CVE debrief

CVE-2025-13475 is a vulnerability in the application consent management mechanism that fails to isolate consent scopes between tenants. This leads to unintended cross-tenant consent sharing, potentially exposing user data across tenants. The vulnerability has a CVSS score of 3.5 and is considered low severity. It has no impact if the deployment does not support multi-tenancy. The CVE was published on July 4, 2026.

Vendor
WSO2
Product
WSO2
CVSS
LOW 3.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-04
Original CVE updated
2026-07-04
Advisory published
2026-07-04
Advisory updated
2026-07-04

Who should care

Organizations using multi-tenanted deployments of the affected application should be aware of this vulnerability. Specifically, those with SaaS applications that rely on consent management mechanisms should assess their exposure and take necessary actions to mitigate the risk.

Technical summary

The vulnerability arises from the application's failure to correctly isolate consent scopes between tenants in multi-tenanted deployments. When a user grants consent for a SaaS application in one tenant, it can be incorrectly applied to SaaS applications with the same name in other tenants. This can lead to unauthorized data access and privacy violations. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N.

Defensive priority

Given the low CVSS score and limited impact, defenders should prioritize monitoring and inventory checks. Ensure that your deployment does not support multi-tenancy or take steps to verify and restrict consent sharing.

Recommended defensive actions

  • Review your deployment configuration to ensure it does not support multi-tenancy or take steps to verify and restrict consent sharing.
  • Monitor user consent and access patterns for anomalies that could indicate cross-tenant consent sharing.
  • Implement compensating controls to restrict access to sensitive data across tenants.
  • Verify vendor remediation workflow and apply patches or updates as available.
  • Track exceptions and update your incident response plan to address potential cross-tenant consent sharing incidents.

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. A source reference from WSO2 provides additional context. However, the corpus lacks detailed information on affected versions, patch availability, or workarounds.

Official resources

This article is AI-assisted and based on the supplied source corpus.