QSearchQSearch

CVE-2025-10908

7.3 HIGH

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic ...

Published: 2026-05-11 · Last updated: 2026-05-27

Severity and scoring

CVSS
7.3 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-863

Affected products

VendorProduct
wso2identity_server

Description

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2025-9973 Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive aut... (6.4 MEDIUM)
  • CVE-2025-10470 The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, l... (8.6 HIGH)
  • CVE-2025-8325 The software fails to enforce role-based access controls for certain Gateway API invocations (6.3 MEDIUM)
  • CVE-2025-8154 In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitizat... (5.3 MEDIUM)
  • CVE-2024-0391 The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the exis... (5.3 MEDIUM)

Same CWE

  • CVE-2026-49219 ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
  • CVE-2026-53738 Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler (8.1 HIGH)
  • CVE-2026-49824 Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (8.5 HIGH)
  • CVE-2026-49823 Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)
  • CVE-2026-48860 Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the dis...