CVE-2025-10908
Received Received - Intake
Authentication Bypass via Magic Link in Application

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: WSO2 LLC

Description
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-11
AI Q&A
2026-05-11
EPSS Evaluated
N/A
NVD
CVE-2025-10908
EUVD
EUVD-2025-209756
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
wso2 identity_server 7.1.0
wso2 identity_server 7.0.0
wso2 identity_server 6.1.0
wso2 identity_server 6.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthorized access to applications and sensitive data by bypassing account lock mechanisms, which can lead to unauthorized data exposure.

Such unauthorized access undermines security controls that are critical for compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to potential unauthorized access and data breaches.


Can you explain this vulnerability to me?

CVE-2025-10908 is a security vulnerability in WSO2 Identity Server versions 7.1.0, 7.0.0, 6.1.0, and 6.0.0 where locked user accounts can still be authenticated using Magic Link or Pass Key methods.

This happens because the system does not properly validate the user account state during authentication, allowing locked accounts to bypass the intended security controls.

As a result, users who should be prevented from accessing their accounts due to being locked can still log in through these alternative authentication methods.


How can this vulnerability impact me? :

This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been locked.

It undermines the effectiveness of the account lock mechanism, which is designed to prevent further login attempts after suspicious or malicious activity.

Therefore, attackers or unauthorized users could gain access to restricted resources, potentially leading to data breaches or misuse of the application.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should update your WSO2 Identity Server to the specified update levels where the issue is fixed.

  • For WSO2 Identity Server 7.1.0, update to update level 31.
  • For WSO2 Identity Server 7.0.0, update to update level 124.
  • For WSO2 Identity Server 6.1.0, update to update level 248.
  • For WSO2 Identity Server 6.0.0, update to update level 249.

If updating is not feasible, migrating to the latest unaffected version is recommended.

Community users can apply fixes available via public GitHub pull requests, while support subscription holders should follow the update guidance.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart