Authentication Bypass Vulnerability in WSO2 Products
CVE-2025-10908

7.3HIGH

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server; Wso2 Carbon Magiclink Authenticator Module
Vendor: CVE Published:; 11 May 2026

What is CVE-2025-10908?

A vulnerability in WSO2 Identity Server allows unauthorized access to locked user accounts through Magic Link or Pass Key methods. When user account state validation is improperly handled during authentication, it enables malicious actors to bypass the security controls designed to prevent access to restricted accounts. This flaw compromises the integrity of the account lock mechanism, potentially exposing sensitive data and applications linked to accounts that should remain inaccessible.

Affected Version(s)

WSO2 Carbon MagicLink Authenticator Module 1.1.0 < 1.1.0.1

WSO2 Carbon MagicLink Authenticator Module 1.1.5 < 1.1.5.2

WSO2 Carbon MagicLink Authenticator Module 1.1.22 < 1.1.22.5

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Sep 24, 2025

CVE-2025-10908 Data

JSON

Wso2

What is CVE-2025-10908?

Affected Version(s)

References

CVSS V3.1

Timeline