CVE-2025-12624
Received Received - Intake
Access Token Revocation Failure in WSO2 Identity Server

Publication date: 2026-04-16

Last updated on: 2026-04-23

Assigner: WSO2 LLC

Description
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12624
EUVD
EUVD-2025-209495
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wso2 identity_server 5.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in WSO2 Identity Server where active access tokens are not revoked or invalidated when a user account is locked.

Because the tokens remain valid even after the account is locked, the locked user can still use these tokens to access protected resources.

This means that the system fails to enforce proper access control by allowing continued access through previously issued tokens.

Impact Analysis

The impact of this vulnerability is that a locked user account can still access protected resources using existing, unexpired access tokens.

This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or unauthorized actions.

The risk persists until the tokens naturally expire, which could allow attackers or unauthorized users to maintain access longer than intended.

Compliance Impact

This vulnerability allows locked user accounts to continue accessing protected resources using valid, unexpired access tokens. This bypass of access control policies can lead to unauthorized data access or actions.

Such unauthorized access could potentially violate compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data.

Failure to revoke access tokens upon account lockout undermines the enforcement of security policies, increasing the risk of data breaches and non-compliance with regulatory obligations related to data confidentiality and integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12624. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart