Auth Bypass for Locked Accounts via Magic Link in WSO2 Identity Server
CVE-2025-10908 Published on May 11, 2026

Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-10908 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

LOW

Weakness Type

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2025-10908 has been classified to as an AuthZ vulnerability or weakness.

Products Associated with CVE-2025-10908

stack.watch emails you whenever new vulnerabilities are published in Wso2 Identity Server or Wso2 Carbon Magiclink Authenticator Module. Just hit a watch button to start following.

Wso2 Identity Server

Wso2 Carbon Magiclink Authenticator Module

Affected Versions

WSO2 Identity Server:

Before 6.0.0 is unknown.
Version 6.0.0 and below 6.0.0.249 is affected.
Version 6.1.0 and below 6.1.0.248 is affected.
Version 7.0.0 and below 7.0.0.124 is affected.
Version 7.1.0 and below 7.1.0.31 is affected.

WSO2 Carbon MagicLink Authenticator Module:

Version 1.1.0 and below 1.1.0.1 is affected.
Version 1.1.5 and below 1.1.5.2 is affected.
Version 1.1.22 and below 1.1.22.5 is affected.
Version 1.1.31 and below 1.1.31.2 is affected.
Version 1.1.43, <= * is unaffected.

Exploit Probability

EPSS

0.07%

Percentile

21.47%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.