The vulnerability arises from improper validation of organization context in adaptive authentication flows within WSO2 Identity Server 7.1.0. A privileged user in one organization can manipulate adaptive authentication logic to affect other organizations and sub-organizations in a multi-organization deployment. This bypasses authorization boundaries, enabling unauthorized execution of critical operations, privilege escalation, and potential account takeover across organizations. The CVSS 3.1 vector (AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L) reflects that the attack requires high privileges but no user interaction, with significant confidentiality and integrity impact and low availability impact.

Successful exploitation allows a malicious actor with configuration privileges in one organization to perform unauthorized critical operations and access user accounts in other organizations and sub-organizations. This can lead to privilege escalation, unauthorized resource access, and potential account takeover across organizational boundaries within the WSO2 Identity Server deployment.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch information is provided, organizations should monitor WSO2 advisories for updates. Until a patch is available, restrict adaptive authentication configuration privileges to trusted administrators and consider additional access controls to limit cross-organization impact.