Skip to main content

Wso2 Identity Server CVE-2025-12624

| EUVDEUVD-2025-209495 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-04-16 WSO2 GHSA-gw5f-5fmc-2xp2
6.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 23, 2026 - 15:34 nvd
Patch available
Patch available
Apr 16, 2026 - 11:01 EUVD
EUVD ID Assigned
Apr 16, 2026 - 10:45 euvd
EUVD-2025-209495
CVE Published
Apr 16, 2026 - 10:25 nvd
MEDIUM 6.0

DescriptionCVE.org

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts.

The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.

Analysis

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts.

The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.

CVE-2025-10470 HIGH
8.6 May 11

Memory exhaustion denial-of-service in WSO2 Identity Server's Magic Link authenticator allows remote unauthenticated att

CVE-2024-2374 HIGH
7.5 Apr 16

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the

CVE-2025-10908 HIGH
7.3 May 11

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authentic

CVE-2025-9973 MEDIUM
6.4 May 11

WSO2 Identity Server in multi-organization deployments fails to validate organization context during adaptive authentica

CVE-2025-8591 MEDIUM
6.1 Jul 06

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, AP

CVE-2025-10503 MEDIUM
6.1 Apr 29

The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a

CVE-2025-6024 MEDIUM
6.1 Apr 16

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script

CVE-2024-1248 MEDIUM
5.3 Jul 04

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segrega

CVE-2024-0391 MEDIUM
5.3 May 11

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker

CVE-2025-13475 HIGH
7.3 Jul 04

Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS applicati

Share

CVE-2025-12624 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy