Carbon API Manager Allows Unrestricted File Uploads

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.1

Carbon API Manager Allows Unrestricted File Uploads

CVE-2025-13590 GHSA-p6jf-79j3-33f3

Summary

Carbon API Manager's file upload feature can be exploited by an attacker with admin privileges, potentially leading to code execution on your server. This means an attacker could potentially take control of your system. To protect your system, ensure that administrative access is limited to trusted personnel and consider restricting file types that can be uploaded.

What to do

Update wso2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl to version 9.32.167.

Affected software

Vendor	Product	Affected versions	Fix available
wso2	org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl	<= 9.32.167	9.32.167
wso2	api_control_plane	4.5.0	–
wso2	api_control_plane	4.6.0	–
wso2	api_manager	4.2.0	–
wso2	api_manager	4.3.0	–
wso2	api_manager	4.4.0	–
wso2	api_manager	4.5.0	–
wso2	api_manager	4.6.0	–
wso2	traffic_manager	4.5.0	–
wso2	traffic_manager	4.6.0	–
wso2	universal_gateway	4.5.0	–
wso2	universal_gateway	4.6.0	–

Original title

carbon-apimgt does not properly restrict uploaded files

Original description

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

nvd CVSS3.1 7.2

Vulnerability type

CWE-434 Unrestricted File Upload

Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026