Authentication Bypass Vulnerability in WSO2 Products
CVE-2025-10908

Currently unrated

Key Information:

Vendor

Wso2

Status
Wso2 Identity Server
Wso2 Carbon Magiclink Authenticator Module
Vendor
CVE Published:
11 May 2026

What is CVE-2025-10908?

A vulnerability in WSO2 Identity Server allows unauthorized access to locked user accounts through Magic Link or Pass Key methods. When user account state validation is improperly handled during authentication, it enables malicious actors to bypass the security controls designed to prevent access to restricted accounts. This flaw compromises the integrity of the account lock mechanism, potentially exposing sensitive data and applications linked to accounts that should remain inaccessible.

Affected Version(s)

WSO2 Carbon MagicLink Authenticator Module 1.1.0 < 1.1.0.1

WSO2 Carbon MagicLink Authenticator Module 1.1.5 < 1.1.5.2

WSO2 Carbon MagicLink Authenticator Module 1.1.22 < 1.1.22.5

References

https://security.docs.wso2.com/en/latest/security-announc...
vendor-advisory

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.