IN June 2026, WSO2 patched seven vulnerabilities in its API platform, including the critical [CVE-2026-5430](https://securityonline.info/cve-watchtower/?cve_detail=CVE-2026-5430), which scores 10/10 for allowing JWT authentication bypass. This vulnerability enables full account takeover without user interaction, creating significant risks for enterprise APIs used by banks and government agencies.
Other vulnerabilities include privilege escalation, file upload issues, SQL injection, denial of service, and SSRF, varying in severity. Affected versions range from WSO2 API Manager 4.6.0 to earlier releases. WSO2 has released patches, and users are urged to apply updates promptly to safeguard their systems.