Access Control Flaw in WSO2 Identity Server
CVE-2025-12624

6MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server
Vendor: CVE Published:; 16 April 2026

What is CVE-2025-12624?

A security vulnerability in WSO2 Identity Server allows access tokens to remain active even when a user account is locked. This results in previously issued valid tokens remaining usable, granting locked accounts unintended access to protected resources. Consequently, this flaw poses a significant risk to data security, as it bypasses established access control measures, possibly leading to unauthorized data retrieval or actions until those tokens eventually expire.

Affected Version(s)

WSO2 Identity Server 5.2.0 < 5.2.0.35

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Nov 3, 2025

CVE-2025-12624 Data

JSON

Wso2

What is CVE-2025-12624?

Affected Version(s)

References

CVSS V3.1

Timeline