CVE-2024-8010 PUBLISHED

XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files

Assigner: WSO2
Reserved: 20.08.2024 Published: 16.04.2026 Updated: 16.04.2026

The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.

By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 3.5

Attack Vector	Adjacent Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	WSO2
Product	WSO2 API Manager
Versions	Default: unaffected unknown from 0 to 3.2.0 (excl.) affected from 3.2.0 to 3.2.0.397 (excl.) affected from 3.2.1 to 3.2.1.27 (excl.) affected from 4.0.0 to 4.0.0.310 (excl.) affected from 4.0.0 to 4.0.0.319 (excl.) affected from 4.1.0 to 4.1.0.171 (excl.) affected from 4.2.0 to 4.2.0.127 (excl.) affected from 4.3.0 to 4.3.0.39 (excl.)

Solutions

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/#solution

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/

Problem Types

CWE-611: Improper Restriction of XML External Entity Reference ('XXE') CWE

Impacts

CAPEC-120 CAPEC-120: XML External Entity (XXE) Injection