A privilege escalation vulnerability exists in multiple [Vendor Name] products due to a business logic flaw SOAP admin services. A malicious actor can create new user with elevated permissions only when all of the following conditions are met: * services accessible attacker. The deployment includes an internally used attribute that is not part default WSO2 product configuration. At least one custom role non-default permissions. attacker has knowledge and internal deployment. Exploiting this allows actors assign higher privileges self-registered users, bypassing intended access control mechanisms.