Zero Day MonitorZDM

← Back to list

7.5

CVE-2025-10908EXPLOITEDPATCHED

wso2 · wso2 identity server

Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access

Description

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.

Affected Products

Vendor	Product	Versions
wso2	wso2 identity server	6.0.0, 6.1.0, 7.0.0, 7.1.0, 1.1.0, 1.1.5, 1.1.22, 1.1.31

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4388/(vendor-advisory)

Related News (1 articles)

Tier C

VulDB47d ago

CVE-2025-10908 | WSO2 Identity Server Magic Link/Pass Key authorization

→ No new info (linked only)

CVSS 3.17.5 HIGH

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

6.0.0.2496.1.0.2487.0.0.1247.1.0.311.1.0.11.1.5.21.1.22.51.1.31.21.1.43

CWECWE-863

PublishedMay 11, 2026

Last enriched47d agov2

Tags

CVE-2025-10908

Trending Score0

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-2053EXP

Unauthenticated Server-Side Request Forgery via WS-Addressing in WSO2 API Manager

MEDIUMCVE-2024-0391EXP

Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery

MEDIUMCVE-2025-9973

Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Organization Account Takeover

MEDIUMCVE-2025-8325EXP

Improper Access Control via Gateway API in Multiple WSO2 Products Allows Unauthorized Operations

HIGHCVE-2024-2374

XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 11, 2026

Actively Exploited

May 11, 2026

Patch Available

May 11, 2026

Discovered by ZDM

May 11, 2026

Updated: severity, cvssEstimate, activelyExploited, tags

May 11, 2026

Version History

v2

Last enriched 47d ago

v2Tier C47d ago

Updated severity to HIGH, added CVSS estimate of 7.5, and marked the vulnerability as actively exploited.

severitycvssEstimateactivelyExploitedtags

via VulDB

v147d ago

Initial creation