CVE-2025-10908

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4388/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wso2:identity_server::::::::
	cpe:2.3:a:wso2:identity_server::::::::
	cpe:2.3:a:wso2:identity_server::::::::
	cpe:2.3:a:wso2:identity_server::::::::

History

27 May 2026, 19:50

Type	Values Removed	Values Added
First Time		Wso2 identity Server Wso2
CPE		cpe:2.3:a:wso2:identity_server::::::::
References	~~() https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4388/ -~~	() https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4388/ - Vendor Advisory

11 May 2026, 20:23

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.3

11 May 2026, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-11 10:16

Updated : 2026-05-27 19:50

NVD link : CVE-2025-10908

Mitre link : CVE-2025-10908

CVE.ORG link : CVE-2025-10908

JSON object : View

Products Affected

wso2

identity_server

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-10908", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}]}, "published": "2026-05-11T10:16:12.590", "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4388/", "tags": ["Vendor Advisory"], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked.\n\nThis vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts."}], "lastModified": "2026-05-27T19:50:11.337", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6E34A030-0542-4D6D-B6AB-84120126F978", "versionEndExcluding": "6.0.0.249", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11004AEC-A44F-43EF-BBB9-EDEB656370D0", "versionEndExcluding": "6.1.0.248", "versionStartIncluding": "6.1.0"}, {"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6DD077D-36D9-4B1F-8D13-869EA0FE3030", "versionEndExcluding": "7.0.0.124", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A354D72-7106-4EC6-8CF8-F13053461B17", "versionEndExcluding": "7.1.0.31", "versionStartIncluding": "7.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}