What is CVE-2025-10908?

CVE-2025-10908 is a high-severity vulnerability in Wso2 Identity_server, classified under Incorrect Authorization. CVSS score: 7.3/10. Published 2026-05-11.

How severe is CVE-2025-10908?

High severity. CVSS v3 base score is 7.3 out of 10.

Auth bypass in Wso2 Identity_server

CVE-2025-10908

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to ac…

Vulnerability class: Broken Access Control

EPSS: 0.001 (21.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.

Affected products

Wso2 Identity_server
Wso2 Carbon Magiclink Authenticator Module — versions 1.1.0, 1.1.5, 1.1.22
Wso2 Identity Server — versions 0, 6.0.0, 6.1.0

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

ed10eef1-636d-4fbe-9993-6890dfa878f8 (vendor-advisory, Vendor Advisory)

Frequently asked questions

What is CVE-2025-10908?: CVE-2025-10908 is a high-severity vulnerability in Wso2 Identity_server, classified under Incorrect Authorization. CVSS score: 7.3/10. Published 2026-05-11.
How severe is CVE-2025-10908?: High severity. CVSS v3 base score is 7.3 out of 10.